topic Re: Change HA from A/A to A/P - techniques and known issues? in General Topics

Change HA from A/A to A/P - techniques and known issues?

MikeBowler — Wed, 18 Mar 2015 19:23:19 GMT

I have two PA-500's in Active/Active.

We do not need to have them in A/A (in hindsight, it was a mistake) because we do not use asynchronous routing or meet the other typical A/A criteria. I think we are paying for that mistake, as you'll read below.

When running software 6.0.5 I implemented a site-to-site VPN through which I ran a client-server application over a specific port. After 10-30 minutes the port would close, cutting off the application link. I opened a case with PA, got logs from the firewalls and wireshark captures from the client. While PA was researching the issue, I asked PA if perhaps upgrading to 6.1.2 would fix the problem. They agreed we could try (no guarantees, of course).

We upgraded, and found that when running 6.1.2 in Active/Active, the Active-Secondary could not refresh ARP. The secondary would hold it's ARP table for the timeout period (1800 seconds - 30 minutes), then fail - which caused our Internet connection to be unstable (pinging a device on the Internet would result in 8 packets successful, then 8 dropped, then 12 successful, then 12 dropped, and so on). We now have a separate ticket with PA on this issue.

As an experimental effort to solve the ARP problem, we suspended the Active-Secondary device, and since then - running only 1 firewall - our Internet connection is perfectly stable AND the VPN functions flawlessly. The application runs over the VPN without any drops/disconnections. I did share this discovery with PA.

So...I'm now wondering if simply changing from Active-Active to Active-Passive (staying with 6.1.2) might solve both the VPN and ARP issue. I recall reading about an ARP issue with an earlier 6.x version of software, but I think that got fixed.

What do you think about us switching from A/A to A/P? Any problems with changing from A/A to A/P?

If we switch, is it a matter of changing the setup from active-active mode active-passive by changing the Active-Primary to Active-Passive (device ID 0) and the Active-Secondary to Active Passive (device ID 1)? We already have control links and election settings established, and I'm wondering if those will stay the same - or if I have to reconfigure everything as though I were adding a new firewall.

Thanks in advance!

Re: Change HA from A/A to A/P - techniques and known issues?

mmmccorkle — Wed, 18 Mar 2015 20:27:45 GMT

Mikebowler,

This will not directly answer your question, but will provide some details on active/active vs. active/passive.

HA Active Active vs Active Passive.pptx

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

Re: Change HA from A/A to A/P - techniques and known issues?

pulukas — Wed, 18 Mar 2015 20:46:04 GMT

I would always go with Active/Passive unless you have one of the specific use cases for Active/Active.

the main configuration change will be the removal of HA3 as a link.

Since you are already running single device the cut should be relatively painless.

Re: Change HA from A/A to A/P - techniques and known issues?

MikeBowler — Thu, 19 Mar 2015 16:46:56 GMT

Thank you both!

Re: Change HA from A/A to A/P - techniques and known issues?

MikeBowler — Thu, 16 Apr 2015 16:26:47 GMT

Update:

We did the upgrade - from A/A to A/P - a few weeks back and all is well.

Both the VPN and ARP issues have disappeared, and the connection world is at peace (well, it is here anyway...).

I suspect A/A brings some complications to the table that PA is not completely able to manage, but our A/P configuration is solid and we are, once again, happy campers.

Re: Change HA from A/A to A/P - techniques and known issues?

pulukas — Thu, 16 Apr 2015 20:58:05 GMT

Glad things went well for you.

Yes, Active/Active does bring complications and design considerations. I manage four A/A clusters in the data center. But there are situations where it is required. The trick is not to over complicate the situation unnecessarily.

Just to close the loop here is the Active/Active technote reviewing the issues to watch in the A/A deploy.

Configuring Active/Active HA PAN-OS 4.0