This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About dshue
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About dshue
04-23-2018
14Posts
1Like
1Solution
Apr 23, 2018Last Visited
User
Activity
User
Profile
Latest posts by dshue
| Subject | Views | Posted |
|---|---|---|
| 2997 | 04-11-2014 10:46 AM | |
| 3702 | 04-08-2014 12:21 PM | |
| 3703 | 04-08-2014 12:19 PM | |
| 3045 | 04-08-2014 05:23 AM | |
| 3827 | 04-07-2014 01:56 PM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 1 Like | 09-26-2011 02:30 PM |
Posts I Liked
| Subject | Likes | Author | Latest Post |
|---|---|---|---|
| 2 Likes | |||
| 2 Likes | |||
| 2 Likes | |||
| 3 Likes |
User Badges
Community Statistics
| Member Since | 05-25-2011 12:17 PM |
| Date Last Visited | 04-23-2018 03:40 PM |
| Posts | 14 |
| Total Likes Received | 1 |
04-11-2014
10:46 AM
Yup, same problem. We are running 5.0.11. • 60201—In a HA Active/Active setup, an IPSec key renegotiation timing issue caused the new IPSec session to be set to DISCARD until the next key renegotiation. This caused traffic loss until the next tunnel key renegotiation. I'm waiting for the 5.0.12 release though.
... View more
04-08-2014
12:19 PM
Thank you jdelio, I think you nailed it! We are at 5.0.11 and just upgraded to that a week prior to implementing HA. I've had a support case open since starting with Active/Active. They responded today that it is most likely they bug you are talking about but I'm reluctant to upgrade to 6.0.1 however. From the 6.0.1 Release Notes - Resolved Issues • 60201—In a HA Active/Active setup, an IPSec key renegotiation timing issue caused the new IPSec session to be set to DISCARD until the next key renegotiation. This caused traffic loss until the next tunnel key renegotiation.
... View more
04-08-2014
05:23 AM
I'm also gonna jump in on this. Been Active/Active for the past 3 - 4 weeks and even leaving Site2Site VPNs alone I'm still fighting with strange issues with tunnels not re-keying properly and dropping for the duration of the key lifetime. To the best of my knowledge, to make tunnels and portals work across both devices you will need to use Floating IPs. This will enable the two devices to sync these tunnels and portals. Although, that still hasn't worked for me with all my devices yet. Another thing to consider is that you have to position the PAs where they can answer a layer 2 arp request as this is how Floating IPs have to work and something that completely floored me. If you are using routing protocols on your PAs to bring traffic in from your ISPs, Floating IPs will not work in this case as traffic destined to a peer device will not be forwarded over HA3. See my post below for more detail. Active/Active Floating IP/Traffic Forwarding Problem In addition to document from Steven, here is another document that helped me. High Availability Synchronization This is about the extent of the documentation provided. There are several articles and discussions out there, but beware that Steven is absolutely correct. You will be fighting this battle much on your own and documentation is scarce. It took talking to three techs to determine my Floating IP problem only to find out it "just wasn't designed to work that way". Here is my latest post... seems to be pretty straight forward but PAN won't really discuss this further until I change my HA config is set to always use Primary as session owner and session setup so I've turned to the community for help troubleshooting. Active/Active & IPSec Trouble I will add that as far as the normal transit traffic goes, it does work and so far works great. I'm using OSPF internally and BGP externally and HA3 takes care of any asymmetric packet flows as promised by PAN. Good luck, and if you can avoid Active/Active... avoid it.
... View more
04-07-2014
01:56 PM
After implementing HA Active/Active, we left S2S VPN tunnels alone. Ultimately no changes to IKE Gateways. The S2S terminate to a /30 address that is statically routed from the ISP to ethernet1/12 on the active-primary. Tunnel interfaces and their routes are identical on both primary and secondary, IKE Gateways are NOT synced as this is just an IP assigned to the 1/12 interface on the primary side. OSPF on the internal LAN side, HOWEVER, supplied static routes for the remote sites to only route to primary device. Secondary should never be session owner. Session Owner = First Packet Session Setup = ip-modulo Phase 1 and Phase 2 seem to come up fine. Communication is established and devices can talk fine. However, the key lifetime is set for 2 hours. Throughout the day, the remote side will stop responding at key expiration. It appears that a new negotiation is started and completed, however for the two hour key time the VPN tunnels will not pass traffic. This doesn't happen every time it negotiates, and I can seem to locate a pattern. The best lead that I have right now is that the return traffic from the remote side is being discarded due to the flow being in a discard state. I can also see where the 'decap packets' in the vpn flow will not increment. I've looked through the ike debug log and don't really see anything going on there during this state of limbo. Phase 1 appears to be up, phase 2 SAs seem to be up, but for some reason the firewall is rejecting these return packets and I cannot determine why. If can clear phase 1, and the flows and it will pick right back up. Other option is to just wait for Phase 1 to timeout and re-key. These devices were working fine prior to HA to the best of my knowledge. Any help would be greatly appreciated! == Apr 07 09:33:26 == Packet received at ha_ingress stage Packet info: len 1532 port 49 interface 49 vsys 1 wqe index 228383 packet 0x0x8000000416f718e0 Packet decoded dump: L2: 00:1b:17:3c:21:31->00:1b:17:c8:6f:31, type 0x7261 L3 binary dump: 40 bytes 00000000: 80 02 00 1b 00 1b 17 3c 21 1b 00 16 4d 6e a6 8c .......< !...Mn.. 00000010: 08 00 45 00 05 dc c8 d9 40 00 36 06 ff 43 c7 1b ..E..... @.6..C.. 00000020: 4e b8 41 29 20 02 00 50 N.A) ..P ...skipping... IP: 166.xxx.xxx.xxx->71.xxx.xxx.xxx, protocol 50 version 4, ihl 5, tos 0x00, len 120, id 663, frag_off 0x0000, ttl 49, checksum 57440 L4 binary dump: 16 bytes 00000000: f3 46 fb c0 00 00 01 3c 19 ac 55 94 f5 04 3f a5 .F.....< ..U...?. Flow lookup, key word0 0xf346fbc000023200 word1 0 Flow 211818 found, state 3 Packet dropped, flow in discard state Session 105909 c2s flow: source: 166.xxx.xxx.xxx [untrust] dst: 71.2.234.230 proto: 50 sport: 62278 dport: 64448 state: DISCARD type: FLOW src user: unknown dst user: unknown s2c flow: source: 71.xxx.xxx.xxx [untrust] dst: 166.142.205.229 proto: 50 sport: 64448 dport: 62278 state: DISCARD type: FLOW src user: unknown dst user: unknown start time : Mon Apr 7 09:28:39 2014 timeout : 60 sec time to live : 58 sec total byte count(c2s) : 103868 total byte count(s2c) : 0 layer7 packet count(c2s) : 722 layer7 packet count(s2c) : 0 vsys : vsys1 application : ipsec-esp rule : ALLOW_IN_VPN session to be logged at end : True session in session ager : True session synced from HA peer : False session owned by local HA A/A : True layer7 processing : completed URL filtering enabled : True URL category : any session via syn-cookies : False session terminated on host : True session traverses tunnel : False captive portal session : False ingress interface : ethernet1/12 egress interface : ethernet1/12 session QoS rule : N/A (class 4) session tracker stage deny : host service session tracker stage l7proc : ctd app has no decoder
... View more
Labels:
- Labels:
-
Configuration
-
Networking
-
Set Up
-
Troubleshooting
Contact Me
| Online Status |
Offline
|
| Date Last Visited |
04-23-2018
03:40 PM
|
Latest Tags
No tags yet
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks