https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/547003#M99 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/66994">@Markus_B</a>&nbsp;<BR /><BR />The possibility you explained with the switch will not face the issue because the drive with an HA-active state will continue its functioning. All my inputs are from experience. and HA logic is similar to VRRP here with Prisma-SDWAN.&nbsp;<BR /><BR /></P> Fri, 23 Jun 2023 13:11:23 GMT kn 2023-06-23T13:11:23Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546865#M96 <P>Hi everyone,</P> <P>&nbsp;</P> <P>we recently re-IP'd a set of two ION3000s in an HA group and saw that site losing connectivity at every single step. That got me thinking - these IONs have two controller ports, one of which is completely unused. Can we configure that empty controller port on both IONs to be in some none-routable /30 subnet and connect the IONs directly to each other? We're doing essentially that on all our panOS firewalls already and it works great.</P> Thu, 22 Jun 2023 14:10:57 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546865#M96 Markus_B 2023-06-22T14:10:57Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546953#M97 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/66994">@Markus_B</a>&nbsp;&nbsp;<BR /><BR />In-person, I don't think connecting the ION controller2 interfaces back to back is a smart idea. When the active ION is powered off, the backup ION cannot become operational since its HA-control port (controller2) is likewise shut down.<BR />You may run a fast test on this behavior to confirm the above assertion.<BR /><BR />-kn</P> <P>&nbsp;</P> Fri, 23 Jun 2023 04:12:39 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546953#M97 kn 2023-06-23T04:12:39Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546998#M98 <P>Thanks for your reply, <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/223283">@kn</a>&nbsp;</P> <P>&nbsp;</P> <P>unfortunately, I don't have any lab units to test this with. I also haven't been able to find any technical details on how HA is designed, so I can only speculate. However, let me think your comment a bit further.</P> <P>&nbsp;</P> <P>You're essentially saying, that an ION in an operational HA-group and passive state will refuse to ever become active, if the port configured for HA-sync is physically down. That would mean, that if I have the controller ports on a physically separate management network and the corresponding switch fails (or the cable gets damaged or unplugged), I lose HA completely. I would personally consider that questionable system design and be worried about deploying these IONs until an Engineer with Palo/Cloudgenix has a very good explanation on why that is. However I assume, that you're guessing as much as I am?</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thanks</P> Fri, 23 Jun 2023 12:53:12 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/546998#M98 Markus_B 2023-06-23T12:53:12Z https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/547003#M99 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/66994">@Markus_B</a>&nbsp;<BR /><BR />The possibility you explained with the switch will not face the issue because the drive with an HA-active state will continue its functioning. All my inputs are from experience. and HA logic is similar to VRRP here with Prisma-SDWAN.&nbsp;<BR /><BR /></P> Fri, 23 Jun 2023 13:11:23 GMT https://live.paloaltonetworks.com/t5/prisma-sd-wan-discussions/ion-ha-with-dedicated-controller-port/m-p/547003#M99 kn 2023-06-23T13:11:23Z