session disconnect during A-P failover

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

session disconnect during A-P failover

L2 Linker

Hi,

 

Can anyone suggest, if we failover from Active to Passive unit on PA firewall. will this maintains the established sessions by default. 

 

Or we have to additionally enable some other setting to make this enable (should maintain session during cluster failover).

 

Additionally, one more observation while we did recent failover....We have 09 IPSec tunnels created on PA (phase-1 and phase-2 both active) .

- When we did failover from active to passive (and passive unit became the new active).

- We observed that approx 5-6 IPSec tunnels (phase-1 and phase-2 both) were active on new active unit.

- However rest 3-4 IPSec tunnels are showing Phase-2 down (but phase-1 active) on new Active but showing active (both phase-1 and phase-2) on new passive units.

 

Rgds 

2 REPLIES 2

Cyber Elite
Cyber Elite

Hello,

Check out these resources on HA.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK

However the sessions should go over to the new Active unit. I have seen in the past where the VPN tunnels didnt like the failover, these were mostly to other products other than PAN. However PAN to PAN, they seem to be OK. See if passing traffic over the tunnels helps them establish, say a continuous ping.

 

But check the logs to see why the tunnels are not coming up from the far side, i.e. the firewall receiving the tunnel connection.

 

Regards,

@Jimmy20,

 

In my experience @OtakarKlier is absolutely correct. I would normally expect a PAN to PAN tunnel to stay online during a failover, but once you start crossing vendors things can be a bit hit or miss. A lot of this has to do with DPD and other similar settings not playing correctly if they are setup on one side or another.

I'll still occasionally have issues with PAN to PAN tunnels, but DPD and tunnel monitoring will easily correct any issues that would be caused by this and bring the tunnels back online.

 

  • 2732 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!