Site to Site VPN monitor status is "up" on active and "down" on passive firewall
2809
Created On 04/06/22 02:55 AM - Last Modified 10/23/24 21:33 PM
Symptom
- Site to Site VPN monitor status is "up" on active firewall however showing "down" on passive firewall.
- For example, in this output, we can see tunnel id 7 and 8 is "down" on passive firewall
- VPN flow output on Active Firewall:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
- VPN flow output on Passive Firewall:
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active down 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active down 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- IPSEC VPN
Cause
- VPN tunnel monitor did not refresh on passive firewall and stuck up with last status "down".
- SPI mismatch is shown below between the active and passive firewall.
- IPSec SA state on Active Firewall:
>show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec) -------------- ---- ------------ --------------- --------- ------- -------- ------------ ---------------- 1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 3454 2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 3429 4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 3513 3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 3006 5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 3470 6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 3171 7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 96BDC835 DB437AAC 3600/Unlimited 1044
- IPSec SA state on Passive Firewall:
>show vpn ipsec-sa
GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) remain-time(Sec)
-------------- ---- ------------ --------------- --------- ------- -------- ------------ ----------------
1 1 10.18.199.14 VPN-FWSING01(FWSING01) ESP/A256/SHA256 D956EA0F F954FBDB 3600/Unlimited 2185
2 2 10.18.199.22 VPN-FWSING02(FWSING02) ESP/A256/SHA256 E75AB051 C75863BB 3600/Unlimited 2160
4 4 10.24.133.4 VPN-FWGERL(FWGERL00A11401-FWGERL0A0E0701) ESP/A256/SHA256 A4289A3C 9C4D6B34 3600/Unlimited 2244
3 5 10.50.182.206 VPN-FWCEFI(FWCEFI00AP3201-FWCEFI00AP1001) ESP/A256/SHA256 EDFA3DB9 ACB90772 3600/Unlimited 1737
5 6 10.24.136.4 VPN-FWBORD(FWBORD0A1S6101-FWBORD0A1S0401) ESP/A256/SHA256 A98B6650 EE1CCC94 3600/Unlimited 2201
6 7 10.24.16.4 VPN-FWBAST(FWBAST00A01601-FWBAST0A1S2601) ESP/A256/SHA256 A9FA47D6 ECC0306F 3600/Unlimited 1902
7 8 10.24.2.4 VPN-FWAJAC(FWAJAC0A1S1201-FWAJAC0A1S1101) ESP/A256/SHA256 EADEC3AA 89679FFD 3600/Unlimited 2815
Resolution
- Manually sync the runtime session state between the firewalls using the following CLI command on the active Firewall.
- >request high-availability sync-to-remote runtime-stat
- VPN monitor status will sync and it will be "up" on secondary firewall.
> show vpn flow
total tunnels configured: 8
filter - type IPSec, state any
total IPSec tunnel configured: 8
total IPSec tunnel shown: 8
id name state monitor local-ip peer-ip tunnel-i/f
-- ---- ----- ------- -------- ------- ----------
1 VPN-FWSING01 active up 10.16.192.126 10.18.199.14 tunnel.1
2 VPN-FWSING02 active up 10.16.192.126 10.18.199.22 tunnel.2
5 VPN-FWCEFI active up 10.16.192.110 10.50.182.206 tunnel.3
4 VPN-FWGERL active up 10.16.192.110 10.24.133.4 tunnel.4
6 VPN-FWBORD active up 10.16.192.110 10.24.136.4 tunnel.5
7 VPN-FWBAST active up 10.16.192.110 10.24.16.4 tunnel.6
8 VPN-FWAJAC active up 10.16.192.110 10.24.2.4 tunnel.7
9 VPN-FWPLCF init down 10.16.192.110 10.50.198.204 tunnel.8