Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
IPSEC VPN SA synchronization in an Active/Passive HA pair - Knowledge Base - Palo Alto Networks

IPSEC VPN SA synchronization in an Active/Passive HA pair

54460
Created On 09/28/20 08:18 AM - Last Modified 07/06/23 23:03 PM


Symptom


  • When a VPN is terminated on a Palo Alto firewall HA pair, not all IPSEC related information is synchronized between the firewalls.
  • It can be observed that the output of "show vpn ike-sa" would not display any SA on the passive device of the HA pair. 


Environment


  • PAN Active/Passive HA Pair
  • Any PanOS


Resolution


This is an expected behavior. IKE phase 1 SA information is NOT synchronized between the HA firewalls.

Note:
  1. If tunnels are brought completely down after a HA failover, First disable DPD on their IPSEC peer devices. DPD will bring the complete tunnel down in the event Phase 1 is down. 
  2. To being up phase 1 automatically, use the HTTP Log Forwarding feature known as "log to action". If the firewall sees a HA event in the logs, configure "log to action" to trigger the command "test vpn ike-sa" to bring up phase 1 automatically in the event of a failover. 

Here is a sample of expected output.

When IKEv1 is used:

Output of "show vpn ike-sa " and "show vpn ipsec-sa" on ACTIVE NODE

(active)> show vpn ike-sa 
IKEv1 phase-1 SAs

GwID/client IP  Peer-Address           Gateway Name           Role Mode Algorithm             Established     Expiration      V  ST Xt Phase2

--------------  ------------           ------------           ---- ---- ---------             -----------     ----------      -  -- -- ------

1067            xxx.xxx.xxx.2          SiteA-SiteB            Init Main PSK/ DH2/A128/SHA1    Dec.08 19:03:59 Dec.09 03:03:59 v1 13 1  7      

Show IKEv1 IKE SA: Total 1 gateways found. 1 ike sa found.


(active)> show vpn ipsec-sa
IKEv1 phase-2 SAs

Gateway Name           TnID     Tunnel                 GwID/IP          Role Algorithm          SPI(in)  SPI(out) MsgID    ST Xt 

------------           ----     ------                 -------          ---- ---------          -------  -------- -----    -- -- 

SiteA-SiteB            3077     SiteA-SiteB:A-B        1067             Resp ESP/ DH2/tunl/SHA1 E7D7C3FE A10CF2BE C018D184 9  1   

Show IKEv1 phase2 SA: Total 1 gateways found. 1 ike sa found.

 


Output of "show vpn ike-sa " and "show vpn ipsec-sa" on PASSIVE NODE

admin@SiteA-Secondary(passive)> show vpn ike-sa 

There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.
There is no IKEv2 SA found.

(passive)> show vpn ipsec-sa 

GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)            

--------------  ----   ------------           ---------------                                ---------          -------  -------- ------------            

1067            3077   xxx.xxx.xxx.2          SiteA-SiteB:A-B(SiteA-SiteB)                   ESP/A128/SHA1      E7D7C3FE A10CF2BE 2285/0                   

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

 

 
When IKEv2 is used:


Output of "show vpn ike-sa " and "show vpn ipsec-sa" on ACTIVE NODE

(active)> show vpn ike-sa

There is no IKEv1 phase-1 SA found.

There is no IKEv1 phase-2 SA found.

IKEv2 SAs

Gateway ID      Peer-Address           Gateway Name           Role SN       Algorithm             Established     Expiration      Xt Child  ST                  

----------      ------------           ------------           ---- --       ---------             -----------     ----------      -- -----  --                  

1067            xxx.xxx.xxx.2          SiteA-SiteB            Init 1        PSK/ DH2/A128/SHA1    Dec.09 00:45:16 Dec.09 08:45:16 0  1      Established          

IKEv2 IPSec Child SAs

Gateway Name           TnID     Tunnel                    ID       Parent   Role SPI(in)  SPI(out) MsgID    ST              

------------           ----     ------                    --       ------   ---- -------  -------- -----    --              

SiteA-SiteB            3077     SiteA-SiteB:A-B           1        1        Init A8406D1E F9E6624E 00000001 Mature           

Show IKEv2 SA: Total 1 gateways found. 1 ike sa found.

(active)> show vpn ipsec-sa

GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)            

--------------  ----   ------------           ---------------                                ---------          -------  -------- ------------            

1067            3077   xxx.xxx.xxx.2          SiteA-SiteB:A-B(SiteA-SiteB)                   ESP/A128/SHA1      A8406D1E F9E6624E 3583/0                   

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.



Output of "show vpn ike-sa " and "show vpn ipsec-sa" on PASSIVE NODE

admin@SiteA-Secondary(passive)> show vpn ike-sa

There is no IKEv1 phase-1 SA found.
There is no IKEv1 phase-2 SA found.
There is no IKEv2 SA found.

admin@SiteA-Secondary(passive)> show vpn ipsec-sa

GwID/client IP  TnID   Peer-Address           Tunnel(Gateway)                                Algorithm          SPI(in)  SPI(out) life(Sec/KB)            

--------------  ----   ------------           ---------------                                ---------          -------  -------- ------------            

1067            3077   xxx.xxx.xxx.2          SiteA-SiteB:A-B(SiteA-SiteB)                   ESP/A128/SHA1      A8406D1E F9E6624E 3508/0                   

Show IPSec SA: Total 1 tunnels found. 1 ipsec sa found.

 



Additional Information


Synchronization of System Runtime Information

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HAuZCAW&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language