We are building a new data center that has this as the stack in front of the PA-3050. This is still in building/testing and nothing is being stored/built here yet. Unfortunately for this, I only have access into the PA's and only remotely.
Cisco ISR > Cisco 5516x (for VPN) > PA-3050 - All have two devices for HA.
I am 95% sure my configuration is correct in the PA (my first implementation for a Palo Alto FW). However, when I did my first failover test, I couldn't access either Firewall but the VPN was still up. I had to reboot the FW's to get the A side to take back over and then both Firewalls were available, which was strange. Since then, I made some changes in the config that put me at 95% certainty that the PA config is good. When I went to test my failover again, the Firewalls are apparently correct in their LED indicators but the VPN is completely down with the error that The AnyConnect package on the secure gateway could not be located. I've researched this issue and found that it is quite common however no solution really fit my scenario. My thought is that the 2nd (B side) of the 5516x's does not have AnyConnect configured or configured correctly with either a mismatch in the AC package version or the 5516x is not prepared for HA failover.
Has anyone run into this issue? What did you find the problem to be? What information (remember, only from the PA's) would help you solve this?
Thank you!!
No comments:
Post a Comment