topic Re: Doubt configuration HA Paloalto-Aruba in General Topics

Doubt configuration HA Paloalto-Aruba

Alpalo — Tue, 10 Sep 2024 14:21:59 GMT

Hello to all

I have a pair of FW PA-460 active-passive. When we perform Failover I lose 40 seconds the network to the internet. i have only HA1 connected on a pair of SW aruba. I suspect it may be an Aruba or Paloalto configuration issue. Any idea?

Best regards.

Re: Doubt configuration HA Paloalto-Aruba

OtakarKlier — Tue, 10 Sep 2024 18:24:56 GMT

Hello,

I think these articles may be useful.

Layer 3 High Availability with Optimal Failover Times Best Practices

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHnCAK

Resource List: High Availability Configuring and Troubleshooting

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK

Regards,

Re: Doubt configuration HA Paloalto-Aruba

PavelK — Wed, 11 Sep 2024 03:36:22 GMT

Hello @Alpalo

have you enabled Passive Link State to Auto?

Here are references:

What is the corresponding link state when the passive link state is set to auto?

Configure Active/Passive HA

Setting the link state to Auto allows for reducing the amount of time it takes for the passive firewall to take over when a failover occurs.

Kind Regards

Pavel

Re: Doubt configuration HA Paloalto-Aruba

Alpalo — Wed, 11 Sep 2024 08:42:50 GMT

Hi @PavelK

Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it.

HA1 is connected to the aruba pair switch with LACP . any other idea?

Thank you very much

Re: Doubt configuration HA Paloalto-Aruba

Alpalo — Thu, 19 Sep 2024 15:01:52 GMT

Any idea?

Thanks so much

Re: Doubt configuration HA Paloalto-Aruba

OtakarKlier — Thu, 19 Sep 2024 15:27:06 GMT

Hello,

You have your HA connections between the two Palo Alto's via a switch?

Regards,

Re: Doubt configuration HA Paloalto-Aruba

Brandon_Wertz — Thu, 19 Sep 2024 18:56:20 GMT

@Alpalo wrote:

Hi @PavelK

Hi @PavelK

Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it.

HA1 is connected to the aruba pair switch with LACP . any other idea?

Thank you very much

Twice now I only see mention of HA1 being used/turned on. Do you not have a config for HA2? Is there no HA2 connectivity (of some sort) between FW1/2?

HA1 links carry management sync/config sync. HA2 links carry TCP session sync. If you do not have HA2 connections between your active/passive firewalls the TCP state of existing sessions will NOT be known to your passive firewall and when a failover occurs all that session data will be lost and will need to be restarted for ALL traffic. If this is how things are then I could potentially see a 40 second delay in your HA failovers.

I'm not sure what your routing situation is but relevant IP/routing information/state wouldn't be known your to your passive firewall and would have to be learned. Then once the network state is known to the firewall then all client TCP sessions could get re-established.