IPSEC VPN tunnel goes down after HA-failover

IPSEC VPN tunnel goes down after HA-failover

40354
Created On 08/29/22 22:00 PM - Last Modified 03/12/25 03:39 AM


Symptom


After failover IPSec tunnel is down

Environment


  • Firewalls configured in Active/Passive HA Pair.
  • Supported PAN-OS
  • High-Availability
  • DPD Enabled

Cause


  • IKE SA's are not synched but IPSec SA's are synced after failover, but the remote peer is sending DPD packets with the IKE SA that the newly active member does not have, so it cannot reply to those DPD messages
  • The newly active member loses main mode information after failover and it has to renegotiate the phase-1 again
  • The remote peer is sending DPD packets containing Palo Alto peer IKE SA but the newly active member does not have IKE SA anymore to read the messages.
  • DPD uses ike main mode SA's and the main mode is not synced to another peer
  • Phase 1 SAs are not synchronized between the HA peers, only Phase 2 SAs are synchronized. Therefore, it is expected that DPD fails after a failover.

Resolution


Workaround: Configure the tunnel monitoring as it will renegotiate the phase-1 or Disable the DPD

Additional Information


IPSEC VPN SA Synchronization in an active/passive HA Pair
IPSEC VPN IKE Phase 1 is down but Tunnel is Active
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlQMCAY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language