Support Center > Search Results > SecureKnowledge Details
VPNs fail after a failover in CP cluster uses 3rd party cluster solutions (GAIA VRRP / IPSO VRRP and IP clustering) Technical Level
Symptoms
  • VPN tunnels are failing following a failover.
Cause

The fwha_sync_outbound_sa setting in the $FWDIR/conf/objects_5_0.C is set to false.

The outbound security association keys (outbount IPsec SAs) used to encrypt the traffic are not synced to the standby member in 3rd party clustering solutions (GAIA VRRP or IPSO VRRP and IP Clustering).

When the failover happens, there is no valid SA for the connection as the new active member doesn't have the required IPsec SA keys for encryption.

The connection will not established till a new VPN tunnel (QM) will be negotiated to create new IPsec SAs. 


Solution
Note: To view this solution you need to Sign In .