IPSEC VPN SA synchronization in an Active/Passive HA pair
Symptom
- When a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls.
- It can be observed that the output of "show vpn ike-sa" would not display any SA on the passive device of the HA pair.
Environment
- PAN Active/Passive HA Pair
- Any PanOS
Resolution
This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls.
Note:
- If tunnels are brought completely down after a HA failover, First disable DPD on their IPSEC peer devices. DPD will bring the complete tunnel down in the event Phase 1 is down.
- To being up phase 1 automatically, use the HTTP Log Forwarding feature known as "log to action". If the firewall sees a HA event in the logs, configure "log to action" to trigger the command "test vpn ike-sa" to bring up phase 1 automatically in the event of a failover.
Here is a sample of expected output.
When IKEv1 is used:
Output of "show vpn ike-sa " and "show vpn ipsec-sa" on ACTIVE NODE
(active)> show vpn ike-sa GwID/client IP Peer-Address Gateway Name Role Mode Algorithm Established Expiration V ST Xt Phase2 -------------- ------------ ------------ ---- ---- --------- ----------- ---------- - -- -- ------ 1067 xxx.xxx.xxx.2 SiteA-SiteB Init Main PSK/ DH2/A128/SHA1 Dec.08 19:03:59 Dec.09 03:03:59 v1 13 1 7 Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.
Gateway Name TnID Tunnel GwID/IP Role Algorithm SPI(in) SPI(out) MsgID ST Xt ------------ ---- ------ ------- ---- --------- ------- -------- ----- -- -- SiteA-SiteB 3077 SiteA-SiteB:A-B 1067 Resp ESP/ DH2/tunl/SHA1 E7D7C3FE A10CF2BE C018D184 9 1 Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found. |
Output of "show vpn ike-sa " and "show vpn ipsec-sa" on PASSIVE NODE
admin@SiteA-Secondary(passive)> show vpn ike-sa There is no IKEv1 phase-1 SA found. |
(passive)> show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 1067 3077 xxx.xxx.xxx.2 SiteA-SiteB:A-B(SiteA-SiteB) ESP/A128/SHA1 E7D7C3FE A10CF2BE 2285/0 Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found. |
When IKEv2 is used:
Output of "show vpn ike-sa " and "show vpn ipsec-sa" on ACTIVE NODE
(active)> show vpn ike-sa There is no IKEv1 phase-1 SA found. There is no IKEv1 phase-2 SA found. IKEv2 SAs Gateway ID Peer-Address Gateway Name Role SN Algorithm Established Expiration Xt Child ST ---------- ------------ ------------ ---- -- --------- ----------- ---------- -- ----- -- 1067 xxx.xxx.xxx.2 SiteA-SiteB Init 1 PSK/ DH2/A128/SHA1 Dec.09 00:45:16 Dec.09 08:45:16 0 1 Established IKEv2 IPSec Child SAs Gateway Name TnID Tunnel ID Parent Role SPI(in) SPI(out) MsgID ST ------------ ---- ------ -- ------ ---- ------- -------- ----- -- SiteA-SiteB 3077 SiteA-SiteB:A-B 1 1 Init A8406D1E F9E6624E 00000001 Mature Show IKEv2 SA: Total 1 gateways found. 1 ike sa found. |
(active)> show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 1067 3077 xxx.xxx.xxx.2 SiteA-SiteB:A-B(SiteA-SiteB) ESP/A128/SHA1 A8406D1E F9E6624E 3583/0 Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found. |
Output of "show vpn ike-sa " and "show vpn ipsec-sa" on PASSIVE NODE
admin@SiteA-Secondary(passive)> show vpn ike-sa There is no IKEv1 phase-1 SA found. |
admin@SiteA-Secondary(passive)> show vpn ipsec-sa GwID/client IP TnID Peer-Address Tunnel(Gateway) Algorithm SPI(in) SPI(out) life(Sec/KB) -------------- ---- ------------ --------------- --------- ------- -------- ------------ 1067 3077 xxx.xxx.xxx.2 SiteA-SiteB:A-B(SiteA-SiteB) ESP/A128/SHA1 A8406D1E F9E6624E 3508/0 Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found. |
Additional Information
Synchronization of System Runtime Information