GlobalProtect disconnect/re-connection issues after Active/Passive HA cluster failover

GlobalProtect disconnect/re-connection issues after Active/Passive HA cluster failover

18788
Created On 04/05/24 03:42 AM - Last Modified 06/24/25 23:28 PM


Symptom


GlobalProtect client disconnects whenever there is Active/Passive HA cluster failover.

As per the KB articles below, when using IPSec, failover should be seamless from a GlobalProtect VPN perspective since peers are able to retain the VPN session.

GlobalProtect Gateway Tunnel failover with Firewall in Active-Passive High Availability Configuration
What Happens to IPSec GlobalProtect VPN During a Failover Event?

Environment


PANOS-10.2.7, PA-3220, GP-6.2.0

Cause


When configuring globalprotect portal agent settings, we can leave most of the timer settings in default for optimal results.

However there may be cases when users edit these settings without knowing the repercussions. One of these settings is the:
"Automatic Restoration of VPN Connection Timeout"

Network > GlobalProtect > Portals > "PortalName" > Agent > "AgentConfig" > App > App Configurations > "Automatic Restoration of VPN Connection Timeout"

retry-tunnel.png

CLI:
gp-app-config config retry-tunnel value 0

Setting this to "0" means GlobalProtect does not attempt to automatically restore the tunnel after the tunnel is disconnected.
 

Resolution


For seamless GlobalProtect connection after an HA failover, ensure that the "Automatic Restoration of VPN Connection Timeout" value is set to default (30 mins.).
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OboCAE&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language