PA HA failover and IPSEC connection shows inactive

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PA HA failover and IPSEC connection shows inactive

Cyber Elite
Cyber Elite

 

Yesterday during PAN OS upgrade when Passive PA became active I saw that our IPSEC connections stopped working.

 

CLI shows status as inactive

I did clear vpn command

test phase 1 and phase 2 still samething.

 

Only way to make this work was via restarting the remote device.

 

Need to know what config we can do on the current ipsec connection so VPN works seamlessly when ha failover happens?

MP

Help the community: Like helpful comments and mark solutions.
2 accepted solutions

Accepted Solutions

But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.

Only 4 ping were lost.

Just because it is working on Azure doesn't mean it will work properly on this tunnel. Azure has a very odd default configuration if you've followed the listed PAN guide when setting up the tunnel. 

 

Only way Tunnel came back was to reboot the remote device.

So to verify; you logged into the remote device and also cleared the ike-sa and ipsec-sa from the CLI prior to restarting the device? I would guess the answer here is no and the restart would have cleared that information and allowed the ends to negotiate the connection again. 

 

Clearing test ike and ipsec on PA were of no help.
Clearing on one peer would do nothing to tell the peer device it needs to re-negotiate the tunnel. 

 

Any other config i can use to avoid this?

Configuring tunnel monitoring would have identified the issue and cleared both ends allowing them to re-negotiate.

View solution in original post

@MP18,

Correct. The firewall would then know that the tunnel isn't responding properly and will attempt to re-key the tunnel ahead of schedule. 

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@MP18,

Do you have 'replace protection' enabled on the IPSec Tunnel in question?

The reason it didn't come back up when you cleared it was because the remote device still believed the tunnel was active and the keys were valid. It would have come back naturally if it encountered a re-key event more than likely. If you could have access the remote device, clearing both ike-sa and ipsec-sa on either peer and letting it rebuild would have likely worked. 

Yes we have that enabled.

But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.

Only 4 ping were lost.

 

Only way Tunnel came back was to reboot the remote device.

 

Clearing test ike and ipsec on PA were of no help.

Does this mean that everytime i do this i need to restart the remote device?

 

Any other config i can use to avoid this?

 

 

MP

Help the community: Like helpful comments and mark solutions.

But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.

Only 4 ping were lost.

Just because it is working on Azure doesn't mean it will work properly on this tunnel. Azure has a very odd default configuration if you've followed the listed PAN guide when setting up the tunnel. 

 

Only way Tunnel came back was to reboot the remote device.

So to verify; you logged into the remote device and also cleared the ike-sa and ipsec-sa from the CLI prior to restarting the device? I would guess the answer here is no and the restart would have cleared that information and allowed the ends to negotiate the connection again. 

 

Clearing test ike and ipsec on PA were of no help.
Clearing on one peer would do nothing to tell the peer device it needs to re-negotiate the tunnel. 

 

Any other config i can use to avoid this?

Configuring tunnel monitoring would have identified the issue and cleared both ends allowing them to re-negotiate.

So If i  confiure Tunnel Monitor on PA only and will it identify if tunnel is down?

 

Do not know if other device supports tunnel monitor or not.

MP

Help the community: Like helpful comments and mark solutions.

@MP18,

Correct. The firewall would then know that the tunnel isn't responding properly and will attempt to re-key the tunnel ahead of schedule. 

Thanks for helping me out

Much appreicated!!!

MP

Help the community: Like helpful comments and mark solutions.
  • 2 accepted solutions
  • 9831 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!