topic Re: Active/Active failback in General Topics

Active/Active failback

ChamindaK — Tue, 27 Jun 2017 10:31:44 GMT

Hi,

We are looking at deploying an A/A L3 cluster with dynamic routing (has to be A/A to satisfy requirements of the existing setup). We've pinned all the routing preferences and floating IP priorities to 'unit A'. We are new A/A so any help with the below would be much welcome:

The issue we are facing (will be facing) is when failing back, there is a delay between 'unit A' coming out of tentative-hold and then routing convergence. Ie. after tentative-hold floating IPs failback, but routing takes 10 or so seconds to converge meaning a slight outage.

Has anyone else experienced a similar scenario? Is there a work around?

Also with Ha3 Ae interace, if we go direct cabling between peers, would an outage of 'unit B' cause 'unit A' to go to a non-forwarding state?

Do we need a switch in-between to avoid the above scenario.

thanks very much,

Re: Active/Active failback

acc6d0b3610eec313831f7900fdbd235 — Fri, 07 Jul 2017 18:02:37 GMT

Hi @ChamindaK

Re: Active/Active failback

BPry — Tue, 27 Jun 2017 16:09:24 GMT

@ChamindaK,

So to verify you have asymmetrical routing in your enviroment at this point in time correct? If not A/A really shouldn't be used; depending on who your last vendor was there could be instances where I would use A/A on a Cisco deployment that I would never dream of using A/A in a Palo Alto deployment. I would verify that before you actually implement this. 😉

Re: Active/Active failback

ChamindaK — Wed, 05 Jul 2017 03:05:39 GMT

thanks!

I'm in the process of labbing this, so will post once I find out exactly how this behaves.

Unfortunately stuck with A/A, as the firewalls are deployed as such in vwire. We are going to implement a L3 vsys on the existing firewall deployment.

Re: Active/Active failback

ChamindaK — Fri, 14 Jul 2017 04:50:08 GMT

-- This can be mitigated using smaller BGP retry connect timers and BFD. There is still a 1-2second drop but this acceptable than 10 seconds.

Also with Ha3 Ae interace, if we go direct cabling between peers, would an outage of 'unit B' cause 'unit A' to go to a non-forwarding state?

Do we need a switch in-between to avoid the above scenario.

No - heartbeat will stay up.

Also from labbing found the following:

- A/A fails over session owner ship to the active firewall, which means there is no HA3 traffic to the former active=primary. Thus HA3 link does not need to support the full expected throughput of the firewall transit traffic.

The downside is there is L7 or IPS for the failed over sessions even when it failsback.