08-05-2013 07:26 AM
Hi folks,
We have two PA firewall pairs.
We have two three VPN systems behind the firewalls -- 3SP SSL-Explorer, Barracuda SSL VPN and Windows PPTP VPN.
We've had a problem over the last week where the SSL VPN systems wouldn't load their client Java applets properly and the web interface (https) would just intermittently time out, and PPTP users couldn't connect in remotely, authentication would time out.
I narrowed it down to one of the PA devices. One would pass the traffic fine, the other would not. I noticed one of the pair was becoming active in the HA pair intermittently, due to "split brain". That hasn't happened before. I checked the rulesets between the devices, they appear to match. I tried rebooting the faulty box, but still the problem persisted, so I've ended up shutting it down to stop us failing over it to.
Anybody seen anything like this before? It's really weird.
08-05-2013 07:39 AM
There might be an issue with the HA1 link. HA1 link is the control link and is used for all management plane interactions between the members of the cluster. If the HA1 is faulty, each device would assume that its peer is no longer in cluster and tries to assume the mastership of the cluster. Please reseat the cables or change them to see if it makes a difference.
BR,
Karthik RP
08-05-2013 07:42 AM
Is it just the VPN traffic that is having this issue or other traffic that suffer from the same problem? like people complaining about slow web browsing. Plus correct me if I am wrong, but is this an active passive setup?
BR,
Karthik RP
08-05-2013 07:45 AM
Hi,
It's Active-Passive. Right now the only complaint we hear from users is around VPN traffic, however in the past when we've failed over we've heard complaints around slow web browsing.
08-05-2013 07:56 AM
I would check the HA1 link first. At the same time, we also want to verify if the upstream/downstream switches did receive and process the gratuitous arps whenever there was a failover. If the cluster is an active-passive setup, the passive device shouldnt transmit any traffic from the upstream/downstream switches.
BR,
Karthik
08-05-2013 11:23 PM
If you are experiencing issues due to split brain, i think you should troubleshoot the split brain issue and see if you still have the VPN issue.
Here is a good doc for it
https://live.paloaltonetworks.com/docs/DOC-1094#comment-1321
https://live.paloaltonetworks.com/docs/DOC-1997
The following doc explains HA Failover optimization
https://live.paloaltonetworks.com/docs/DOC-5008
Hope this helps
Thanks
08-09-2013 07:18 AM
Hi
I tried switching off the other HA pair, to rule out HA problems - the broken box still botches SSL and PPTP traffic.
08-10-2013 04:55 PM
If you are not having split brain issue anymore and still running into issues with traffic. Try creating an app override for that traffic and see if that helps.
Here is how to create an app override.
https://live.paloaltonetworks.com/docs/DOC-1071
Hope this helps.
Thanks
06-09-2014 10:00 AM
Hello Kevin,
Could you reply with the steps to complete a PPTP vpn? I cant figure it out. Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
