https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228960#M124274 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167193">@dmgeurts</a>&nbsp;wrote:<BR /> <P>I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.<BR /><BR />However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?</P> <P>&nbsp;</P> <P>Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets.</P> <HR /></BLOCKQUOTE> <P>That really doesn't make much sense.&nbsp; 2 networked (routed) endpoints shouldn't be talking faster than firewalls directly connected to each other.&nbsp; I've never ran a A/A deployment so unfortunately I don't have much insight to share.&nbsp; I'm assuming you have the HA1, HA2, and HA3 interfaces defined?&nbsp; The HA3 link as I understand it is required for an A/A deployment.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Are your management and data CPUs all running at normal percentages?&nbsp;</P> Tue, 13 May 2025 13:34:23 GMT Brandon_Wertz 2025-05-13T13:34:23Z https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228829#M124252 <P>I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.<BR /><BR />However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?</P> <P>&nbsp;</P> <P>Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets.</P> Mon, 12 May 2025 13:48:09 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228829#M124252 dmgeurts 2025-05-12T13:48:09Z https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228960#M124274 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/167193">@dmgeurts</a>&nbsp;wrote:<BR /> <P>I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.<BR /><BR />However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?</P> <P>&nbsp;</P> <P>Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets.</P> <HR /></BLOCKQUOTE> <P>That really doesn't make much sense.&nbsp; 2 networked (routed) endpoints shouldn't be talking faster than firewalls directly connected to each other.&nbsp; I've never ran a A/A deployment so unfortunately I don't have much insight to share.&nbsp; I'm assuming you have the HA1, HA2, and HA3 interfaces defined?&nbsp; The HA3 link as I understand it is required for an A/A deployment.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>Are your management and data CPUs all running at normal percentages?&nbsp;</P> Tue, 13 May 2025 13:34:23 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228960#M124274 Brandon_Wertz 2025-05-13T13:34:23Z https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228964#M124275 <P>Yes, all HA1/2/3 and their backups are connected. CPU on data and management planes is low. The DNS server caches entries and it's a very small percentage of traffic affected.</P> <P>Agree with you completely. I did not expect this, so apart from CPU load anything I should be checking?</P> <P>PanOS version is 11.1.6h something (off the top of my head)</P> Tue, 13 May 2025 14:03:42 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228964#M124275 dmgeurts 2025-05-13T14:03:42Z https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228967#M124276 <P>Unfortunately I don't have any other ideas, other than opening a support case getting TAC to take a look.</P> Tue, 13 May 2025 15:08:43 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-session-sync-too-slow/m-p/1228967#M124276 Brandon_Wertz 2025-05-13T15:08:43Z