topic Re: HA Failover moniring Management port in General Topics

HA Failover moniring Management port

djr — Wed, 05 Nov 2014 12:36:04 GMT

Hi, I have an active/passive HA setup and have link state monitoring enabled on my data interfaces, but I notice I can't select the management port for this. To my thinking, if I lose the management port I would want the cluster to fail over because it would no longer be able to log to Panorama, or to look up user IDs.

How would you recommend doing this? Is link path monitoring (using the management IP as the source) the only way?

Re: HA Failover moniring Management port

ssharma — Wed, 05 Nov 2014 12:44:51 GMT

Hi djr,

Yes, one of the option you can do is enable path monitoring for the management ranges. Also note that the communication would still go through one of the data ports (probably trust interface). You can point to one of the IP in management range and ask firewall to failover if that is unreachable.

This is by design that management port is not an option under path monitoring. But your requirement can be a good feature request. You can contact your local sales / system engineer for feature request. Hope this helps. Thank you.

Re: HA Failover moniring Management port

djr — Wed, 05 Nov 2014 13:53:42 GMT

Thanks, I have done that. Just to be clear though, if the management port fails, the firewall will route the AD lookups and logs to panorama etc via the trust interface? It is L3 but I don't have any of the management services enabled and I don't presently have the trust address enabled on my panorama server as a valid source.

Re: HA Failover moniring Management port

HULK — Wed, 05 Nov 2014 14:01:28 GMT

Hello Djr,

Your situation is a special instance, since your PAN FW connected to AD through MGMT interface. But, most of the time data-ports are used for transit traffic and management is for manage the device. That's the reason only data-ports are available for monitoring at this point of time, just to ensure the transit traffic is passing through the FW.

But, your point is 100% valid and i would request you to contact with your PAN SE to submit a Feature Request for the same.

Thanks

Re: HA Failover moniring Management port

ssharma — Wed, 05 Nov 2014 14:05:25 GMT

Hi djr,

No it will not failover user id or panorama functionality to trust interface once management port is down. From path monitoring you achieve failover if management ip ranges are unavailable (I haven't seen user using this approach though). Then the peer device's management will process those request normally.

You can use either data port (trust port) or management port from Panorama and user id functionality. If you use data port for user id and panorama, and if that data port interface goes down, a failover will trigger from link monitoring itself. It will depend on your requirement. I will still suggest management interface for this purpose as this will lower number of packets device has to process at dataplane side, thus reducing dp cpu. Hope this helps.

Re: HA Failover moniring Management port

djr — Wed, 05 Nov 2014 14:08:15 GMT

How can you choose which interface to use anyway? I don't think I have set anything up to tell it which interface to use, it just does it.

Re: HA Failover moniring Management port

ssharma — Wed, 05 Nov 2014 14:14:21 GMT

You can configure it at following location :

In above example I have requested firewall to user E1/5 which is my trust interface to use it for Panorama and User ID. Rest everything will still use management interface for other service.

You can configure it under Device -> Setup -> Services -> Service Route Configuration

Hope this helps. Thank you.

Re: HA Failover moniring Management port

HULK — Wed, 05 Nov 2014 14:16:16 GMT

FYI.

Setting a Service Route for Services to Use a Dataplane Interface from the Web UI and CLI

Thanks

Re: HA Failover moniring Management port

djr — Wed, 05 Nov 2014 14:18:09 GMT

Ah right, well my one is a lot simpler than yours, it just shows "use management interface for all" which for me is probably the best choice anyway. As you say it keeps the data plane free for the data.

Thanks very much, this has been very helpful and I have emailed my SE with the request.

Best regards

Re: HA Failover moniring Management port

djr — Mon, 17 Nov 2014 14:07:41 GMT

By the way I tested this and it does not work! I set the path monitoring to ping the gateway of the management interface's network and failed my management interface. The device did not fail over but it did crash!

So I logged a support ticket and the answer came back that it would have used any available path for the path monitoring. Unfortunately because it stayed active, my AD lookups stacked up and the useridd process crashed, the firewall wouldn't respond on the console and the only way out was to power it off.

So if you set the box up using the DEFAULT, to use the management port for service routes and your management port goes down...

It can't be made to fail over
It can no longer resolve any users
It can't update
It can't be managed
You can't get on via the console
and it crashes key processes

Why has no-one else realised that a failure of the management port is the achilles heel of the HA?