02-05-2023 02:17 AM
Hi @abettencourt , @Alpalo ,
It is almost an year when this was posted, have you found a solution?
Last week we did some failover tests, related to other issues and we experience the same issue first hand.
I haven't completely figure it out, but it looks like it is related to how AWS will handle phase2 when phase1 is down.
As already mentioned HA will sync only phase2, which means in event of failover secondary member will have phase2 to AWS up and will try to use it, but there will be no phase1. Firewall will believe tunnel is up and try to use the phase2 that it "inherit" from primary peer, but I am guessing AWS will reject the traffic, because it is using phase2 for which there is no valid phase1.
It is interesting to note, that when forcing phase1 to negotiate using "test vpn ike-sa gateway .." command, tunnel will start working immediately. In the logs I can see that after phase1 negotiation phase2 is also renewed.
This KB mention some interesting solution - https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A...
Here they quickly suggest that you can create log forwarding action with HTTP profile, when failover event is triggered, FW to send API to itself to test phase1, which will bring AWS tunnel back to functional immediately after failover.
I am still puzzled what exactly is causing this issue, but something with IKEv2 phase1 liveness check could be the explanation.
I want to made some more tests with IKEv2 liveness check disabled or with tunnel monitor enabled.
