VPN Issue on interface subnet change

cancel
Showing results for 
Search instead for 
Did you mean: 

VPN Issue on interface subnet change

L3 Networker

Hi All,

 

Help here will be appreciated.

I am migrating a pair of PA-5220's to Active-Passive as they are currently Active-Active. First job in the task is to change the interfaces from /30 to /29 subnets. This is to ensure that both firewalls sit within the same subnet rather than be in isolated /30s. The migration is needed as the VPNs only reside on the Active-Primary and not Active-Secondary so there is no VPN resilience. Floating IP can't be used as it doesn't work without the interfaces being in the same subnet (tried and tested).

 

The issue I have is when I change the interfaces to the /29 subnet - it is only the subnet mask changing, not the IP - I see the VPNs time out and fail. BGP to the local routers stays established, traffic flow through the firewall is good and unimpacted bar a ping or two drop during the interface change.

 

I have reselected the local peer IP in the IKE-GW settings and manually pushed a test vpn command to re-establish the VPN. Even after 20 minutes of trying the VPNs stay down.

 

When I revert back to the /30 interfaces, a test vpn command brings the VPN up immediately.

 

Any ideas? System logs don't show errors, I could see the Ike request okay.

 

Regards

 

Adrian

1 REPLY 1

L4 Transporter

Hi @a.jones ,

 

It is difficult to troubleshoot your issue without more details.  With that said, have you considered leaving the /30?  Since you are moving to active/passive, then you do not need separate IP addresses for the passive firewall.  The same IP addresses are configured on both.  The IP addresses on the passive firewall do not respond to traffic until it becomes active.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!