topic Re: HA2 problems in General Topics

HA2 problems

muellerm — Tue, 15 May 2012 14:35:59 GMT

Hello together,

We have a A/A cluster with PA-5050 boxes running PAN-OS 4.1.5

At the moment one node is suspended due to another problem. We had the problem that we lost the HA2 connectivity (main/backup) between the cluster nodes and traffic through the active box where stopped.

From my point of view this should not happen as this link is for synchoronisation of state, session, routing,etc... But as only one box is active at the moment, so need for the sync?!? After reestablishing a connection for HA2 traffic was passing the firewall.

Any clue?

Thx

Michael

Re: HA2 problems

mikand — Tue, 15 May 2012 22:07:35 GMT

Sessionsync is so when failover occurs the already setup sessions can continue - otherwise they would be just dropped (or if lucky get fin/ack or rst depending on what kind of session it is).

As a workaround I think you can setup one of the dataplane interfaces to be used for HA.

Re: HA2 problems

rmonvon — Tue, 15 May 2012 23:50:35 GMT

Hi...Did all traffic or just some of the traffic stop? It is most likely where one PA setups the session and can't sync the session to its peer. As return traffic arrives at the peer, the traffic may be out of state and the peer drops the packets.

As suggested by mikand, you should configure backup for HA2 as well as HA1 and HA3 if possible. For HA3 you can use AE (LAG) if our PA models support it.

Thanks.

Re: HA2 problems

muellerm — Wed, 16 May 2012 10:53:37 GMT

Hi,

thanks for the fast replies.

Maybe I was not clear enough. We have a HA2 main and backup. Due to another problem the main was not working and we lost the backup.

In the moment we lost the backup one of the firewalls were suspended, so we were running on one node. At this time we lost as well the HA2 backup and traffic seems not to be passing anymore.

Unfortunatly I wasn't onsite during this time. I just get it reported like this. So it hard to figure out what realy happens and as it's a production enviroment I'm not able to reproduce this issue.

The only thing which I'm sure that during the time traffic wasn't passing both HA2 link weren't present.

Now, I just want to know if it's possible that the root cause of the stopped traffic can be that no HA2 link was present. Even when we were running on a single node at this time. So no need for the session sync.

Thanks

Michael

Re: HA2 problems

rmonvon — Wed, 16 May 2012 14:46:10 GMT

I recommend that we review the system log around the time of the failure and check the HA events to figure the sequence of failures. HA2 failure may impact new sessions/traffic as the session state cannot be sync'ed but it should not impact existing sessions. You can have 1 node running while the other is down and HA2 can be disconnected.

Also, how did the other node went into suspend state? Maybe the failure included more than just HA2?

Re: HA2 problems

muellerm — Wed, 16 May 2012 15:16:14 GMT

Hi,

the other node is suspended manually. There is an issue which impacted our service in the A/A deployment, we had to suspend on box.This is allready addressed and under investigations by PA.

I thougth as well that it should not impact any traffic when running on a single node without HA2.

I can try to gather logs around the time the problem occured

I'll check if I can test this during a night

Michael

Re: HA2 problems

jdelio — Thu, 24 May 2012 21:06:50 GMT

As far as the links.. HA1 and HA2.. how are they connected?

Are we talking about a Straight thru cable, Cross over cable or connected through a switch.

If you say Straight thru cable, it is not recommeneded. In fact it is not supported.

It is recommended that if you have to use a cable, that it is a Cross over cable.. or connect through a switch.

Lets see if that helps or not.

Re: HA2 problems

muellerm — Fri, 21 Sep 2012 08:13:43 GMT

Hi,

sorry for the huge delay 🙂

It's connected through a switch. In the meanwhile it's identified as a bug.

Michael