topic Re: HA Down Time in General Topics

HA Down Time

j.guo — Wed, 31 Oct 2012 04:52:17 GMT

Dear Support:

I want to know how long will the Standby PA become active ?

According to the HA best practice , Running @ PA2020 & 4.1.8

the HA statue is normal , all things are match

and the link monitor had setup , interface monitor set to shutdown

I ping 8.8.8.8 -t at the internal network

I unplugin one of data interface , and the standby PA becomse Active

but can;t ping 8.8.8.8 ,

I had already set the swithport to portfast mode

and I can ping 8.8.8.8 after around 90 seconds

Is it normal ? and any advise ? thanks

Re: HA Down Time

mikand — Wed, 31 Oct 2012 07:21:41 GMT

According to the default settings for HA are:

pa- 2000 hello interval - 8 sec, heart beat interval - 2sec, promotion hold time- 2 sec and preemption hold time -1 sec

which gives that if the current active device goes away it will take 6 seconds (3 * heartbeat) before the passive device takes over the traffic.

If you manually restart the current active device then the passive should take over straight away because the device being rebooted will send a signal to the passive device to take over.

If you have to wait 90 seconds and use default HA settings in your PA cluster I would think you have some other malfunction somewhere on the road.

I would try to setup a packet capture on the devices before and after your PA to find out if your portfast is really working as expected or not.

Re: HA Down Time

UKRB — Wed, 31 Oct 2012 11:36:14 GMT

In my experience it is often the switches that cause the delay and not the PA devices. I have a 2020 HA pair running with pretty speedy failover, though it can always be better!

If you look at the units when you try a failover you should see all the activity lights on the ports go off on one unit and light up on the other unit. When these light up, the PA unit will be ready to start passing data, so your switch needs to get going too!

You said you were testing this by unplugging a data interface - what sort of experience do you get when you do a controlled failover? Device / HA / Operational Commands / Suspend local device

Also, are you using striaght through or crossover cables between the units?

Re: HA Down Time

j.guo — Wed, 31 Oct 2012 12:10:21 GMT

any differents with striaght through or crossover cables?

we now HA1 is crossover , HA2 is striaght through

Re: HA Down Time

msullivan — Fri, 02 Nov 2012 22:18:19 GMT

I'd verify that the passive node takes up when you think it should. Open cli sessions and verify that your trigger is working as expected. See https://live.paloaltonetworks.com/docs/DOC-3838 for a quick list of commands to use.

Second, I'd make sure that Device->High Availability->General->Active/Passive Settings->Passive Link State, is set to auto. As already mentioned, make sure your upstream switch is configured correctly for the PANs ports (spanning-tree disabled).

If you have a visio to share, post it. It's good to have everyone on the same page.

Good luck,

Mike