VPNs fail after a failover in CP cluster uses 3rd party cluster solutions (GAIA VRRP / IPSO VRRP and IP clustering)

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk36544
Technical Level
Product	IPSec VPN
Version	All
OS	Gaia
Platform / Model	All
Date Created	16-Dec-2008
Last Modified	09-Sep-2022

Symptoms

VPN tunnels are failing following a failover.

Cause

The fwha_sync_outbound_sa setting in the $FWDIR/conf/objects_5_0.C is set to false.

The outbound security association keys (outbount IPsec SAs) used to encrypt the traffic are not synced to the standby member in 3rd party clustering solutions (GAIA VRRP or IPSO VRRP and IP Clustering).

When the failover happens, there is no valid SA for the connection as the new active member doesn't have the required IPsec SA keys for encryption.

The connection will not established till a new VPN tunnel (QM) will be negotiated to create new IPsec SAs.

Solution

Note: To view this solution you need to Sign In .