IPSEC tunnel not working post HA failover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

IPSEC tunnel not working post HA failover

L6 Presenter

Hello Friends,

 

We have Palo Alto firewalls (various models like 3050, 5220 and 3220) which are in HA (active-passive mode).  IPSEC tunnels are working fine when traffic is on active gateway. The issue is, when we failover traffic on passive gateway, internet works fine but my tunnel resources becomes unreachable. When i checked tunnel status on gateway, it shows Phase-2 is up but Phase-1 is down.

 

Then we had to manually initiate traffic from gateway by test vpn commands and after 2-3 mins, tunnel resources becomes reachable. my HA1 and HA2 links are up. Also i see IPSEC SAs getting copied from active to passive. But facing this issues when failover happens. All gateways are running on 9.0.3-h3 but we had this issue on 8.1.x also. Also this issue is not gateway specific, we are facing it on all HA clusters.

 

Is any one faced such issues ??

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks
11 REPLIES 11

Community Team Member

Hi @SutareMayur ,

 

Did you confgure Tunnel Monitor ?

I'm guessing the tunnel should come back up after the re-key interval but with tunnel monitor it will be faster.

 

Hope this helps,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@kiwi I dont think tunnel monitor will help here. I do not want to failover IPSEC traffic from tunnel one to other. I have only one IPSEC tunnel and traffic should get failover to other firewall when i do firewall HA failover.

 

- Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

Community Team Member

Hi @SutareMayur ,

 

It seemed to have helped here:

https://live.paloaltonetworks.com/t5/General-Topics/PA-HA-failover-and-IPSEC-connection-shows-inacti...

 

Cheers,

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

@kiwi,

 

Thanks for your response.

I'll try it out and let you know.

 

Mayur

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L0 Member

Hi,

@SutareMayur 

Did configuring Tunnel monitor fix the issue? Or did you solve it in some other way?

L6 Presenter

Hi @triceh ,

Somehow issue got disappeared post moving fw to 9.1.x. I didn't made any changes.

M

Check out my YouTube channel - https://www.youtube.com/@NetworkTalks

L0 Member

Hi,

Alright, i appreciate the response.
Thanks for sharing.


Brgds,

L0 Member

We are facing similar issue with a HA pair. Can you share  which PANOS version in 9.1.x resolved the issue ?? our firewalls are on 9.1.12-h3. 

Any help would be highly appreciated. 

L1 Bithead

The same issue on 10.1.3

 

test vpn ike-sa

test vpn ipsec-sa 

helps to make tunnels functional. but after the next HA failover the issue return

Did you every determine a fix beyond issuing the test vpn commands? I have one tunnel that requires this anytime we fail from active to passive. 

9.1.14 h4-- just upgraded HA pair.  When failed over to secondary fw the phase 2 indicators (10 tunnels) typically are red.  We run the cli test vpn ipsec-sa tunnel commands to trigger them to go green which most do within a couple of seconds. However some tunnels will not go green unless we disable the tunnel on the primary fw. ?     We usually wait several minutes before we do the disable thing..  When all are indicators (phase 2) go green we failback to primary fw and again have to now disable the tunnels on the secondary before the primary indicators go green.  Comments welcome.  thnks in advance

  • 14151 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!