05-05-2019 08:06 AM
Yesterday during PAN OS upgrade when Passive PA became active I saw that our IPSEC connections stopped working.
CLI shows status as inactive
I did clear vpn command
test phase 1 and phase 2 still samething.
Only way to make this work was via restarting the remote device.
Need to know what config we can do on the current ipsec connection so VPN works seamlessly when ha failover happens?
05-06-2019 03:31 PM
But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.
Only 4 ping were lost.
Just because it is working on Azure doesn't mean it will work properly on this tunnel. Azure has a very odd default configuration if you've followed the listed PAN guide when setting up the tunnel.
Only way Tunnel came back was to reboot the remote device.
So to verify; you logged into the remote device and also cleared the ike-sa and ipsec-sa from the CLI prior to restarting the device? I would guess the answer here is no and the restart would have cleared that information and allowed the ends to negotiate the connection again.
Clearing test ike and ipsec on PA were of no help.
Clearing on one peer would do nothing to tell the peer device it needs to re-negotiate the tunnel.
Any other config i can use to avoid this?
Configuring tunnel monitoring would have identified the issue and cleared both ends allowing them to re-negotiate.
05-06-2019 03:50 PM
Correct. The firewall would then know that the tunnel isn't responding properly and will attempt to re-key the tunnel ahead of schedule.
05-06-2019 02:42 PM
Do you have 'replace protection' enabled on the IPSec Tunnel in question?
The reason it didn't come back up when you cleared it was because the remote device still believed the tunnel was active and the keys were valid. It would have come back naturally if it encountered a re-key event more than likely. If you could have access the remote device, clearing both ike-sa and ipsec-sa on either peer and letting it rebuild would have likely worked.
05-06-2019 02:47 PM
Yes we have that enabled.
But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.
Only 4 ping were lost.
Only way Tunnel came back was to reboot the remote device.
Clearing test ike and ipsec on PA were of no help.
Does this mean that everytime i do this i need to restart the remote device?
Any other config i can use to avoid this?
05-06-2019 03:31 PM
But same thing we also have enabled on Tunnel to Azure and it had no issues during failover.
Only 4 ping were lost.
Just because it is working on Azure doesn't mean it will work properly on this tunnel. Azure has a very odd default configuration if you've followed the listed PAN guide when setting up the tunnel.
Only way Tunnel came back was to reboot the remote device.
So to verify; you logged into the remote device and also cleared the ike-sa and ipsec-sa from the CLI prior to restarting the device? I would guess the answer here is no and the restart would have cleared that information and allowed the ends to negotiate the connection again.
Clearing test ike and ipsec on PA were of no help.
Clearing on one peer would do nothing to tell the peer device it needs to re-negotiate the tunnel.
Any other config i can use to avoid this?
Configuring tunnel monitoring would have identified the issue and cleared both ends allowing them to re-negotiate.
05-06-2019 03:33 PM
So If i confiure Tunnel Monitor on PA only and will it identify if tunnel is down?
Do not know if other device supports tunnel monitor or not.
05-06-2019 03:50 PM
Correct. The firewall would then know that the tunnel isn't responding properly and will attempt to re-key the tunnel ahead of schedule.
05-06-2019 03:52 PM - edited 05-06-2019 03:52 PM
Thanks for helping me out
Much appreicated!!!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
