11-17-2021 03:51 PM
Hi All,
Help here will be appreciated.
I am migrating a pair of PA-5220's to Active-Passive as they are currently Active-Active. First job in the task is to change the interfaces from /30 to /29 subnets. This is to ensure that both firewalls sit within the same subnet rather than be in isolated /30s. The migration is needed as the VPNs only reside on the Active-Primary and not Active-Secondary so there is no VPN resilience. Floating IP can't be used as it doesn't work without the interfaces being in the same subnet (tried and tested).
The issue I have is when I change the interfaces to the /29 subnet - it is only the subnet mask changing, not the IP - I see the VPNs time out and fail. BGP to the local routers stays established, traffic flow through the firewall is good and unimpacted bar a ping or two drop during the interface change.
I have reselected the local peer IP in the IKE-GW settings and manually pushed a test vpn command to re-establish the VPN. Even after 20 minutes of trying the VPNs stay down.
When I revert back to the /30 interfaces, a test vpn command brings the VPN up immediately.
Any ideas? System logs don't show errors, I could see the Ike request okay.
Regards
Adrian
02-14-2022 07:05 AM
This was a funny one that I resolved in the end. For some reason in active-active mode it didn't like both interfaces in the same subnet with the VPN on one firewall. With only the Active Primary in a /29 and the Active Secondary isolated in a /30 the VPN stayed up. If both firewalls were part of the same /29 the VPN was pulled down. It was an acceptable configuration for 24 hours until we fully migrated to an active-passive scenario.
11-17-2021 04:37 PM
Hi @a.jones ,
It is difficult to troubleshoot your issue without more details. With that said, have you considered leaving the /30? Since you are moving to active/passive, then you do not need separate IP addresses for the passive firewall. The same IP addresses are configured on both. The IP addresses on the passive firewall do not respond to traffic until it becomes active.
Thanks,
Tom
02-14-2022 07:05 AM
This was a funny one that I resolved in the end. For some reason in active-active mode it didn't like both interfaces in the same subnet with the VPN on one firewall. With only the Active Primary in a /29 and the Active Secondary isolated in a /30 the VPN stayed up. If both firewalls were part of the same /29 the VPN was pulled down. It was an acceptable configuration for 24 hours until we fully migrated to an active-passive scenario.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
