topic Re: datapalne issue in General Topics

datapalne issue

dawoodJabbar — Sun, 05 Jun 2022 05:32:57 GMT

I have 2 Paloalto firewalls working as ha active-passive, yesterday we had HA test so try to pass the traffic to the passive device buy suspend the active, the passive become active everything works fine till now my issue is the interface of the firewall 2 is not responding to anything ping or anything my network is down in Cisco switches showing interface up but not showing lldp Although lldp is enabled on Paloalto, now I’m rollback to firewall 1 Everything work fine, but the second firewall still its interfaces not working it’s up but not passing any traffic even when I try to connect PC directly to Interface There is no ping

even I tried to factory reset and still the same issue and upgraded the device to the latest pan-os 2.0.1

Re: datapalne issue

JoergSchuetter — Sun, 05 Jun 2022 06:02:32 GMT

The passive device does not respond to anything (besides on the mgn interface). That's due to moving the IP and MAC to the active node, the passive node has no IP on the "traffic" interfaces.

If you have LLDP enabled, please verify that "Enable in HA Passive State" is ticked (Interfaces --> Ethernet --> your Interface --> Advanced --> [x] Enable LLDP -- [x] Enable in HA Passive State)

Re: datapalne issue

dawoodJabbar — Sun, 05 Jun 2022 06:12:33 GMT

the LLDP is enabled on the Passive firewall kindly check the attachment for that, I try to make the passive to be active but still have the same issue, I try to factory reset the firewall and try to do basic configuration just to check the issue is related to ha or we have a hardware issue in the data plane.

Re: datapalne issue

dawoodJabbar — Sun, 05 Jun 2022 06:24:52 GMT

the LLDP Is enabled on the passive firewall, I try to suspend the local device for ha in the active firewall to move the traffic to the passive but the device does not forward any traffic, and it becomes active in ha, I also try to remove it from ha and upgraded the device to the latest pan-os 2.0.1 also factory reset the device but still same

Re: datapalne issue

dawoodJabbar — Sun, 05 Jun 2022 06:36:13 GMT

the LLDP is enabled on the passive firewall, I try to make the passive firewall become active but still faced the same issue also remove it from ha and check the interface but no luck, any idea

Re: datapalne issue

dawoodJabbar — Sun, 05 Jun 2022 06:38:21 GMT

I try to upgrade the device to the latest pan-os 2.0.1 and still the same also factory reset the firewall and setup the basic configuration to check the interface but still same

Re: datapalne issue

rmfalconer — Mon, 06 Jun 2022 20:35:47 GMT

Can you confirm the version you're using?

Re: datapalne issue

BPry — Tue, 07 Jun 2022 02:08:51 GMT

@dawoodJabbar,

Hopefully you were able to resolve this over the weekend, however it seems like this is going to be harder to troubleshoot over a text based forum and things may not have been in a good spot before your test. Hopefully if you haven't already done so, you've engaged TAC to look at this with you to rule out any configuration or device issues.

A couple things that I have questions/observations on after a few of your comments:

Have you ever done a failover before and have it work, or is this a new Active/Passive configuration?
Attempting to ping an interface isn't really that great of a test with PAN, as there's moving parts to having the traffic allowed. When you did the factory reset on the passive firewall, did you remember to active an interface-management profile that allowed ICMP and actually allow it on your rulebase assuming you weren't relying on intrazone-default?
On your passive firewall, what is the actual status of the device? When you go through and reset things and configure it, are you seeing the auto-commit and subsequent commits succeed?
Lastly if you're actively facing an issue with an HA test without making other prior changes, I'd really recommend NOT upgrading PAN-OS. You're really just introducing another set of variables to the issue, and you've now moved into a state where you had a known working HA-pair to start with to one that's in an unknown state. When trying to solve an issue, introducing changes just increases complexity.

Re: datapalne issue

dawoodJabbar — Tue, 07 Jun 2022 05:17:38 GMT

Have you ever done a failover before and have it work,

yes we have tested the ha failover about 6 Months ago.

is this a new Active/Passive configuration?

no.

On your passive firewall, what is the actual status of the device?

the management plane works fine but the data plane is not working the data plane session count is zero.

When you go through and reset things and configure it?

after upgrading the passive i thought its a configuration issue so i factory rest the device to sure by using this command

request system private-data-reset and also do the factory rest by palo alto factory reset maintenance mode same thing no responses

on data plane

are you seeing the auto-commit and subsequent commits succeed?

yes, and I do some change and the commits working fine

Attempting to ping an interface isn't really that great of a test with PAN, as there's moving parts to having the traffic allowed. When you did the factory reset on the passive firewall, did you remember to active an interface-management profile that allowed ICMP and actually allow it on your rulebase assuming you weren't relying on intrazone-default?

yes i add icmp in the interface-management profile and apply this on the interface that was under test,and i creat new rule to allowed

the traffic to pass the firewall ,

i also try do downgrade to 10.1.5h2 after factory rest and no luck

Re: datapalne issue

aleksandar.astardzhiev — Tue, 07 Jun 2022 14:41:36 GMT

Hi @dawoodJabbar ,

I am little confused by what is the acutal problem you are facing...

Am I understand correctly that:

- You have failovered to second member and no traffic was passing over the firewall

- You have removed this member from HA, factory reset it and try to use it as standalone but still no traffic is passing the firewall?

Re: datapalne issue

dawoodJabbar — Tue, 07 Jun 2022 14:48:09 GMT

Yes exactly today Palo Alto TAC team investigate this issue with me about six hours they collect log and try everything downgrade but no luck actually they say that its data plane issue and will investigate more in the log they took and if they nothing found it’s RMA