topic Re: Active/Active HA tentative state question in General Topics

Active/Active HA tentative state question

PerryK — Mon, 14 May 2018 15:08:24 GMT

Let's say we have 2 firewalls in A/A HA

each firewall has 2 vWire (single interfaces, no aggregration)

eth1/eth2 = vWire 1 and eth3/eth4=vWire2

link monitoring is set such that if any of eth1/eth2 interfaces are down or any of eth3/eth4 are down the firewall will go into tentative state.

Say I unplug eth1/eth2 on FW1. FW1 goes into tentative state. Now, no traffic should flow on vWire2 (eth3/eth4) of FW1.

Can ayone confirm this?

Re: Active/Active HA tentative state question

reaper — Tue, 15 May 2018 06:55:00 GMT

Hi @PerryK

in an AP cluster a link monitor failure is a global failure causing the membert to go into a non-functional state and stop passing traffic altogether, passing over all responsabilities to the secondary peer

in an AA cluster, however, the member will continue accepting packets, if at all possible, but will pass everything over to it's peer for processiong via the HA3 link

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha-firewall-states

so, if you unplug eth1, eth2 will go down (link state passthrough property of vwire), eth1/eth2 vwire functionality passes over to member2 completely as this will be the only member with an active set left.

eth3/eth4 vwire, however, will remain active and will accept packets on member1, but all packets are forwarded through the HA3 interface to member2, processed and sent back to member1 and then egressed out on the other end of the vwire

Re: Active/Active HA tentative state question

PerryK — Tue, 15 May 2018 12:44:28 GMT

OK, since the packet is processed by the active peer, where should the packet be seen in the traffic log. On the active one or the tentative one?

Re: Active/Active HA tentative state question

reaper — Tue, 15 May 2018 12:53:17 GMT

probably both 🙂