In a Palo Alto Networks Active/Passive High Availability (HA) configuration, the HA2 link is the dedicated data link for synchronizing runtime state information. This ensures a stateful failover if the active firewall fails. For IPsec tunnels, the active firewall synchronizes the established Phase 2 Security Associations (SAs) with the passive firewall over this HA2 link. The Phase 1 (IKE) SA is not synchronized because the IKE process is managed on the control plane, which is not part of the runtime state synchronization. Upon failover, the new active firewall can immediately use the synchronized Phase 2 SAs to process traffic.

A: Phase 1 SAs are not synchronized, and the HA3 link is used for packet forwarding in Active/Active mode, not for state synchronization.

C: Phase 1 SAs are not synchronized. Only Phase 2 SAs, which are part of the data plane's session state, are synchronized.

D: The HA1 link is the control link used for heartbeats and configuration synchronization, not for runtime state like SAs.

1. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0: In the section on High Availability

it specifies the function of the HA links.

Reference: "HA Concepts > HA Links and Backup Links"

Content: "The HA2 link is a Layer 2 link that is used to synchronize sessions

forwarding tables

ARP tables

and IPsec SAs between the firewalls in an HA pair." This confirms the use of the HA2 link for SA synchronization.

2. Palo Alto Networks PAN-OS® Administrator’s Guide 11.0: The guide explicitly details which SAs are synchronized for stateful failover.

Reference: "High Availability > Set Up Active/Passive HA > Stateful Failover for IPsec Tunnels"

Content: "For stateful failover of IPsec tunnels

the firewall synchronizes only the Phase 2 SAs. The IKE (Phase 1) SA is not synchronized." This directly supports that only Phase 2 SAs are synchronized.