topic Re: HA Lite Configuration A/P not working... in General Topics

HA Lite Configuration A/P not working...

DJFirewallSupport — Thu, 01 Nov 2012 15:13:50 GMT

Hi All,

Trying to configure a pair of PA-200's as an active-passive cluster using "HA lite". Right now both devices are showing active, so it seems the nodes do not see each other as cluster members. I have defined one HA link on both firewalls, ethernet1/2...they are connected together via a cross-over cable and both interfaces are showing UP.. I realize that state synchronization is not possible with one HA link, but just looking for config sync. When I do a "show high-availability state" from CLI, I get:

Peer Information:

Connection status: down

Connection down reason: Never able to connect to peer

I have tried to suspend the device with the worse priority...and then make it functional again (hoping it goes into passive state)..but it only goes right back to active. Note I am running 4.1.8 code here.

I have also found a doc that indicates the MGT port is used for HA1 with an HA-lite configuration. Is that true? If so, does that mean I don't need the cross-over on ethernet1/2? Note when I ping the peer HA1 IP address (from either firewall) I simply get back an ICMP "Destination host unreachable" .... I am sure this is a problem!

Below are my configs for this...perhaps I have something missing? Grateful if anyone with this knowledge and experience on HA lite would take a look for me....thanks in advance.

Node 1:

set deviceconfig high-availability group 1 mode active-passive passive-link-state auto

set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1

set deviceconfig high-availability group 1 configuration-synchronization enabled yes

set deviceconfig high-availability group 1 peer-ip 192.168.201.2

set deviceconfig high-availability group 1 election-option device-priority 95

set deviceconfig high-availability group 1 election-option heartbeat-backup yes

set deviceconfig high-availability group 1 election-option preemptive no

set deviceconfig high-availability group 1 election-option promotion-hold-time 2000

set deviceconfig high-availability group 1 election-option hello-interval 8000

set deviceconfig high-availability group 1 election-option heartbeat-interval 1000

set deviceconfig high-availability group 1 election-option flap-max 3

set deviceconfig high-availability group 1 election-option preemption-hold-time 1

set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0

set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500

set deviceconfig high-availability interface ha1 encryption enabled no

set deviceconfig high-availability interface ha1 monitor-hold-time 3000

set deviceconfig high-availability interface ha1 ip-address 192.168.201.1

set deviceconfig high-availability interface ha1 netmask 255.255.255.0

set deviceconfig high-availability interface ha1 port ethernet1/2

set deviceconfig high-availability interface ha1-backup

set deviceconfig high-availability enabled yes

Node 2:

set deviceconfig high-availability group 1 peer-ip 192.168.201.1

set deviceconfig high-availability group 1 configuration-synchronization enabled yes

set deviceconfig high-availability group 1 mode active-passive passive-link-state auto

set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1

set deviceconfig high-availability group 1 election-option device-priority 100