topic Re: HA problem Pa 410, Pa 3250 in General Topics

HA problem Pa 410, Pa 3250

krzysztof.kubiak — Fri, 19 May 2023 05:23:42 GMT

Hi all.

I created an HA group from device PA410 (the same problem on PA3250) mode active-standby , when i switch active device to passive, the passive device becomes active and i have a problem. there is no access to the firewall for about a minute

the following occurs for Pan OS 10.1.8

I did update pan os to version 10.1.9 h3

I see a slight improvement but still the unavailability time

the configuration of the HA group has not changed, as far as I remember on PAN OS 9.1.x I did not have this problem and now it occurs for devices of the 3250 and 410, 440 series

Re: HA problem Pa 410, Pa 3250

Raido_Rattameister — Fri, 19 May 2023 12:56:38 GMT

Sounds like underlying network issue where spanning tree takes time to enable ports.

It is possible switch passive firewall ports from shut down to active all the time but before this can be suggested we need to know more about your environment.

Current HA "Passive Link State" configuration.

Any AE interfaces connecting to switch?

If yes then do you have LACP and do you have port channel in switch by firewall or are all ports to both firewalls in single port channel (bad).

Re: HA problem Pa 410, Pa 3250

krzysztof.kubiak — Fri, 19 May 2023 14:56:16 GMT

Bellow my branch diagram, The connection between Palo and the switch is one access link

configuration ha Pasive link state :auto

When I change to make activ devices standby and standby activ device i lost conection from lan to internet.

All port on switch going down and up :

May 19 16:29:30 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to down
May 19 16:29:33 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to up

May 19 16:29:37 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to down
May 19 16:29:41 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to up

i'm try use on switch port configuration spanning-tree portfast But this does not bring improvement

Re: HA problem Pa 410, Pa 3250

Raido_Rattameister — Fri, 19 May 2023 15:36:34 GMT

As next step I suggest to configure packet capture on passive firewall by configuring interface that connects to Cisco switch and include non-ip traffic.

Check how long it takes for traffic to start flowing in after firewall becomes active.

Just a random suggestion that is not related to your issue.

HA1 is related to mgmt plane.

HA2 is related to dataplane.

I would flip those ports around.

HA1 is used to replicate config and send heart beats.

Dedicated mgmt port is connected to mgmt plane but eth1/6 is connected to dataplane so this is not optimal setup.

Re: HA problem Pa 410, Pa 3250

TomYoung — Fri, 19 May 2023 16:11:04 GMT

Hi @krzysztof.kubiak ,

I have PA-450s on 10.1.9-h3, and I do not have this problem. Failover is immediate. For this issue, you need to look at the switches.

Are the ports connected to the passive NGFW up on both switches?
What STP state are they in?
Perform a failover and watch the ports transition. Also check how fast the MAC addresses switch to the new ports.
Does your HA widget in the Dashboard show all HA links are green?

A minute outage sounds like an STP convergence issue.

Thanks,

Tom

Re: HA problem Pa 410, Pa 3250

krzysztof.kubiak — Fri, 19 May 2023 18:19:44 GMT

--- Are the ports connected to the passive NGFW up on both switches?
Yes all ports up

----What STP state are they in?
default i'm not configure enable only spanning-tree mode rapid-pvst

Perform a failover and watch the ports transition. Also check how fast the MAC addresses switch to the new ports.
--- I can check how I will be directly connected to the switch, the firewalls are in a remote location

Does your HA widget in the Dashboard show all HA links are green?
--- all links are green

Re: HA problem Pa 410, Pa 3250

TomYoung — Fri, 19 May 2023 18:24:54 GMT

Hi @krzysztof.kubiak ,

RSTP ports still can be in a blocking state.

You may need to have someone on site to troubleshoot. It is most likely a L2 problem.

Thanks,

Tom