https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180266#M55832 <P>Hi,</P><P>&nbsp;</P><P>Huge amount of new session ... normally, session are sync between cluster member then ...</P><P>Which model of palo are you using ??</P><P>According my experince, path monitoring is not .... always efficient.</P><P>Maybe when your first palo carshed, failover happen but path monitoring was not up on backup .. then no internet ....</P><P>&nbsp;</P><P>Hope help.</P><P>&nbsp;</P><P>V.</P> Thu, 05 Oct 2017 12:24:31 GMT VinceM 2017-10-05T12:24:31Z https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180245#M55824 <P>our internet went down a few weeks ago when our primary PA failover to a secondary PA. We found out, after doing some research and investigative work, that this was due to the amount of new session created, which cause the PA to use the slowpath and access more cpu resource. Once we failedover, we had internet access for about 5-10 minutes and then suddently we lost internet access.&nbsp; After talking to tech support, we came to a conclusion that this might have been to due arp. We have about 25 static NATs, and 3 DNATs, could this have been the cause? if so why did we have internet for a while and suddently lost connection?&nbsp;</P><P>our failover condition is&nbsp; based on link monitoring, trust, untrust, and path monitoring, which is our gateway.&nbsp;</P><P>Why didnt we fail back to the active if we lost access to the internet- our path was never down on our secondary FW.&nbsp;</P><P>We're running 8.0.2</P> Thu, 05 Oct 2017 06:46:44 GMT https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180245#M55824 mmbengue 2017-10-05T06:46:44Z https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180255#M55827 <P>Sounds like your device may have been flooded. this would explain your connectivity came back for a few minutes while the newly active secondary firewall's session table/resources were rapidly depleting. </P> <P>This could be an outside attack or an inside burst (example: simultaneous triggering of windows update on a lot of internal devices)</P> <P>&nbsp;</P> <P>one way to prevent this type of issue from taking down your firewall is to enable Zone Protection profiels that will start discarding packets at a certain packet rate or will implement syn cookies to prevent malicious flooding of tcp sockets</P> <P>&nbsp;</P> <P>did you happen to collect a techsupport file right after the incident on your primary? if so you could go take a look at the dataplane resources in the dataplane logs to see if your packet descriptors were filling up or software pools draining</P> <P>&nbsp;</P> <P>is there any additional information you can share?</P> <P>you mentioned ARP, could you elaborate on this conclusion?</P> Thu, 05 Oct 2017 07:48:23 GMT https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180255#M55827 reaper 2017-10-05T07:48:23Z https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180266#M55832 <P>Hi,</P><P>&nbsp;</P><P>Huge amount of new session ... normally, session are sync between cluster member then ...</P><P>Which model of palo are you using ??</P><P>According my experince, path monitoring is not .... always efficient.</P><P>Maybe when your first palo carshed, failover happen but path monitoring was not up on backup .. then no internet ....</P><P>&nbsp;</P><P>Hope help.</P><P>&nbsp;</P><P>V.</P> Thu, 05 Oct 2017 12:24:31 GMT https://live.paloaltonetworks.com/t5/general-topics/high-availability-failover-due-to-high-dataplane-usage/m-p/180266#M55832 VinceM 2017-10-05T12:24:31Z