topic Firewall HA - Confirmation Behavioral - Link Monitor - HA Vwire - Active Passive - Link state Shutdown in General Topics

Firewall HA - Confirmation Behavioral - Link Monitor - HA Vwire - Active Passive - Link state Shutdown

Metgatz — Fri, 04 Aug 2023 09:14:46 GMT

Hello Live Community , good evening, how are you, I hope you are very well.

I have a question that I would like you to confirm and comment on please. Thank you for your collaboration and for your good vibes.

In a VWire Active-Passive HA environment, where this topology exists.

Firewall-01 on VWire Active ----- Firewall-02 on VWire Passive

Interfaces 1/1 and 1/2 Vwire-01

Firewall-01 Priority 50

Firewall-02 Priority 100

Preemtive enabled on both computers.

Preemtive Hold time: 1 Minute ( Default value ).

Passive Link State: Shutdown

Vwire: Link-State-Pass-Through enable ( Default ).

Link monitor on both firewalls:

Firewall-01: Ethernet 1/1 and 1/2 - ANY Interface

Firewall-02: Ethernet 1/1 and 1/2 - ANY Interface

Failure Scenario:

In the event of a failure in the Firewall-01 Ethernet 1/1 and 1/2 interface. Firewall-02 will assume the role of Active.

If Firewall-01 recovers from its failure in its Ethernet interfaces 1/1 and 1/2, Firewall-02 of the secondary block (with the Role of Active) will wait 1 minute (Preemtive Hold Time 1 minute) to redeliver the Active Role to Firewall-01 to the main block.

Or for this to work, should the secondary be in Passive Link Auto so that it is negotiating and not in Passive Link Shutdown? This is because I have a doubt, since how is it going to detect the Palo Alto that recovered from its failure condition, from the link monitor, if it has its interfaces down, they should be on auto, right?

In HA VWire environment I'm not entirely familiar versus L3 environments.

Com VWire according to what I comment, especially in the scenario of failure and recovery of the Principal, is this expected behavior correct? or with VWire is it different? should assume or validate other additional details, regarding HA issues, such as Timers, settings, options, etc.

Thank you in advance for your time, for your good vibes, for your collaboration, advice and comments.

Greetings

Re: Firewall HA - Confirmation Behavioral - Link Monitor - HA Vwire - Active Passive - Link state Shutdown

mplewis — Fri, 04 Aug 2023 17:54:05 GMT

Scenario 1:

With passive link state set to shutdown, I would expect the firewalls to hit their flap limit. That scenario would result in failover to firewall 2, back to firewall 1 (due to preempt with higher priority value), then back to firewall 2. Assuming a flap limit of 3, firewall 1 would remain in a suspended state due to 'non-functional loop detected' until admin intervention, while firewall 2 continued to support traffic.

Scenario 2:

As you suggested, setting passive link state to auto would result in a cleaner failover. Firewall 1 would fail to firewall 2 and stay there. Firewall 1 would stay suspended due to monitored link down. Once the link is back up, firewall 1 would renegotiate HA, and should become the active unit since it's configured to preempt with a higher priority value.

Scenario 3:

If a monitored link on each firewall failed (e.g. e1/1 on both firewalls), one of them would become suspended due to non-func loop, regardless of passive link state being shutdown or auto. Recovery would require admin intervention, same as the first scenario.

If there's something I overlooked or didn't take into account, feel free to correct me.

Re: Firewall HA - Confirmation Behavioral - Link Monitor - HA Vwire - Active Passive - Link state Shutdown

Metgatz — Fri, 04 Aug 2023 19:50:19 GMT

OK, thank you @mplewis very much for your comments and cooperation.

Regarding point 1, to scenario 1 that you mention, with the passive interfaces Link state shutdown. That means that the secondary firewall or with the passive role, has its interfaces turned off. In this scenario, if the link monitor is on both interfaces 1/1 and 1/2, and any of the interfaces of Firewall-01, active, of the Main block fail, it will assign the role to the Secondary as Active. But if we understand that the passive keeps its interfaces down, when it recovers from its failure condition, the Principal is Firewall-01, which has the role of passive, for example, the ethernet 1/1 interface recovers, if the Principal is in state passive, how will it detect if I lift its interface change, to recover its control after one minute, for the value of preemtive 1 minute, if its interfaces are shutdown those of the passive? What is associated with the recovery of the interfaces and that detection of the recovery of the interfaces condition, of the Main equipment in passive state, recovers from its interface problems, and after 1 minute assumes the role again, it would only be with Passive Link in "Auto" I understand right? With Passive Link Shutdown there is no way, right? This in VWire, L2 and L3 environments, the most common, right?

Thank you for your time, your comments and your great collaboration.

Greetings

Re: Firewall HA - Confirmation Behavioral - Link Monitor - HA Vwire - Active Passive - Link state Shutdown

Metgatz — Fri, 04 Aug 2023 23:25:14 GMT

Hello, sorry if I refer and tag you, I hope I'm not bothering you. @TomYoung @reaper @Raido_Rattameister @BPry @PavelK @aleksandar.astardzhiev

Please see my post and give me your comments, advice, clarifications, details, etc. regarding what I say about HA with Vwire ?

Thank you very much for your comments, for your time, for your collaboration.

I remain attentive

Best regards.