What Happens to IPSec GlobalProtect VPN During a Failover Event?
Question
What happens to the IPSec GlobalProtect VPN during a failover event?
Environment
- PA-VM 100 in Active/Passive High Availability (HA) configuration
- PAN-OS 10.2.0
- GlobalProtect 6.1.0-58
Answer
When using IPSec, failover should be seamless from a GlobalProtect VPN perspective since peers are able to retain the VPN session. Below is the explanation.
Initially when the VPN is established to the active Firewall, the IPSec session is synchronized from active unit to passive one using the HA2 link. Hence both Firewalls display the same number of users connected in its database.
When a failover event happens, a Gratuitous ARP is automatically generated, so all the devices in the same LAN as the HA update its ARP table to associate the IP address of the VPN gateway to the MAC address of the new active peer. The replication of the IPSec session along with the use of GARP allows to have a transparent transition of peers. VPN does not need to be re-established and the only traffic disruption experienced should appear while devices in the same broadcast domain update their ARP table.