- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
02-06-2020 11:04 PM - edited 02-06-2020 11:59 PM
Hello Friends,
We have Palo Alto firewalls (various models like 3050, 5220 and 3220) which are in HA (active-passive mode). IPSEC tunnels are working fine when traffic is on active gateway. The issue is, when we failover traffic on passive gateway, internet works fine but my tunnel resources becomes unreachable. When i checked tunnel status on gateway, it shows Phase-2 is up but Phase-1 is down.
Then we had to manually initiate traffic from gateway by test vpn commands and after 2-3 mins, tunnel resources becomes reachable. my HA1 and HA2 links are up. Also i see IPSEC SAs getting copied from active to passive. But facing this issues when failover happens. All gateways are running on 9.0.3-h3 but we had this issue on 8.1.x also. Also this issue is not gateway specific, we are facing it on all HA clusters.
Is any one faced such issues ??
02-07-2020 02:00 AM
Hi @${userLoginName} ,
Did you confgure Tunnel Monitor ?
I'm guessing the tunnel should come back up after the re-key interval but with tunnel monitor it will be faster.
Hope this helps,
-Kiwi.
02-07-2020 02:18 AM
@kiwi I dont think tunnel monitor will help here. I do not want to failover IPSEC traffic from tunnel one to other. I have only one IPSEC tunnel and traffic should get failover to other firewall when i do firewall HA failover.
- Mayur
02-07-2020 03:12 AM
Hi @${userLoginName} ,
It seemed to have helped here:
Cheers,
-Kiwi.
02-12-2020 08:12 PM
Thanks for your response.
I'll try it out and let you know.
Mayur
06-21-2021 03:28 PM
Hi,
@${userLoginName}
Did configuring Tunnel monitor fix the issue? Or did you solve it in some other way?
06-28-2021 07:50 PM
Hi @triceh ,
Somehow issue got disappeared post moving fw to 9.1.x. I didn't made any changes.
02-03-2022 05:42 PM
We are facing similar issue with a HA pair. Can you share which PANOS version in 9.1.x resolved the issue ?? our firewalls are on 9.1.12-h3.
Any help would be highly appreciated.
02-22-2022 08:40 AM - edited 02-22-2022 08:42 AM
The same issue on 10.1.3
test vpn ike-sa
test vpn ipsec-sa
helps to make tunnels functional. but after the next HA failover the issue return
06-30-2022 02:40 PM
Did you every determine a fix beyond issuing the test vpn commands? I have one tunnel that requires this anytime we fail from active to passive.
09-23-2022 05:55 AM
9.1.14 h4-- just upgraded HA pair. When failed over to secondary fw the phase 2 indicators (10 tunnels) typically are red. We run the cli test vpn ipsec-sa tunnel commands to trigger them to go green which most do within a couple of seconds. However some tunnels will not go green unless we disable the tunnel on the primary fw. ? We usually wait several minutes before we do the disable thing.. When all are indicators (phase 2) go green we failback to primary fw and again have to now disable the tunnels on the secondary before the primary indicators go green. Comments welcome. thnks in advance
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!