topic Re: HA Passive interfaces not coming up. in Next-Generation Firewall Discussions

HA Passive interfaces not coming up.

fw1972 — Mon, 02 Sep 2024 09:28:52 GMT

Hi All, I have searched the community before posting however I cannot find a solution for the issue I am experiencing.

We have a very straightforward physical topology. A cisco 9500 sw switch stack operating as a stackwise-virtual chassis. On Switch 1 we have a single layer 2 copper connection to Palo-1 for inside traffic (inside to outside), on switch 2 we have a single layer 2 copper connection to Palo-2 for inside traffic (inside to outside). Palo-1 is the active FW, Palo-2 is the Passive FW. HA is configured and directly connected, passive link state is 'shutdown'. The 9500 interfaces are configured as 'access' mode interfaces with spanning-tree portfast edge applied.

The issue we are seeing is during a manual failover from Palo-1 to Palo-2, the interfaces on Palo-2 do not become active, they remain down. I am not sure if changing the passive link state to 'auto' will help at all, other than speed up convergence time.

Can anyone please suggest what could be the issue?

Thanks!

Re: HA Passive interfaces not coming up.

reaper — Mon, 02 Sep 2024 11:09:12 GMT

how are you failing the cluster over?

- manually setting the active member to suspended state ( device > high availability > operational commands > suspend local device)

- unplugging/shutting an interface

the last option also requires you to monitor your interfaces via device > high availability > link and path monitoring

else, your cluster will not fail over

Re: HA Passive interfaces not coming up.

fw1972 — Tue, 03 Sep 2024 08:55:09 GMT

Hi - thanks for the response!

The links are monitored and the failover is being initiated as you have suggested above. We have changed the passive link state to auto from shutdown however the ports on passive Palo-Alto 2 connected to the core switch virtual chassis (switch 2) are in a 'notconnect' state. When these connections are moved from core switch virtual chassis (switch 2) to (switch 1), the ports transition into a connected state. Does this suggest a loop in either the core switch or the Palo cluster? No logs are available on the core switch.

Re: HA Passive interfaces not coming up.

reaper — Mon, 09 Sep 2024 10:36:15 GMT

hm... that's tricky.... i'd be inclined to 'blame' the switch2

the firewall should not care about loops when bringing up it's interfaces. As soon as the firewall becomes 'active/primary' the interfaces should come online regardless. If there's a loop you'll see a lot of errors on the interface etc, but the interfaces will remain up