topic Re: PA 2020 Active/Passive HA in General Topics

PA 2020 Active/Passive HA

itsecll — Thu, 09 Feb 2012 15:40:40 GMT

I am configuring Active/Passive PA 2020 firewall for clustering . I have configured all the parameters for HA including the links(HA1 and HA2). Also the firewall are connected and both the HA interfaces are showing up. I am making One PA Firewall as Active by lowering its device Priority (100)and other as standby (priority 150). I am seeing ,that both the PA firewall are showing as active and when I click on "Sync the config" , I am getting the error shown in the attached file.

Please advice me where am I making mistake. Also my Active firewall has some configuration done on it and my other firewall is on default configuration. Should I bring both the firewall on default config and then configure the HA ? Please advice.

Re: PA 2020 Active/Passive HA

rmonvon — Thu, 09 Feb 2012 16:18:30 GMT

Hi...I notice the PA2020 is running version 4.1.0. I recommend that you upgrade both PA2020s to version 4.1.2. You reported that both units are running in Active HA mode, that may mean the units are not seeing each other. We should see 1 unit to be Active and the other should be Passive.

You can verify via CLI if they have an HA peer:

> show high-availability state

If there is no peer, I recommend that you doublecheck your HA config and the HA cabling. Thanks.

Re: PA 2020 Active/Passive HA

sdurga — Thu, 09 Feb 2012 16:20:01 GMT

Hi,

Since both the peers are showing as Active-Active. It means that they haven't communicated to each other still. This seems like a configuration problem. Please make sure the following things are correct 1) both the Pan devices are running same software version

2) the HA group id is same for both the pan devices 3) use a crossover cable for ha2 ports 4) peer ids are matching across both the ends of pan devices. If the HA realationship forms correctly one device will be in active state and the other will be in the passive state. The command "show high availability all" will give all the info about the HA state on the device and also about peer state.

you need not have both the devices in the default config. As long as you configure ha parameters correctly on both the devices and they are in ha relationship, config syncshould work. One more thing, you can sync the config from both the acitve side ----> passive side and also the other way. so please be care ful which side your are doing it from, in case if you sync config from the default config side (passive side ) to the other side, it will wipe out all the config on the other side.

Tx,

Sandeep T

Re: PA 2020 Active/Passive HA

itsecll — Thu, 09 Feb 2012 16:34:12 GMT

Thanks for the reply. I cannot use a cross cable becoz I am running HA1 and HA2 on fiber (SFP) ports. Actually , as per design the two PA firewalls are intwo different buildings, so due to distance constrain , I have to use the Fiber bots for HA.

I have one doubt , please clear and I am sure that I am making mistake in that, when I edited the HA parameters , I used HA peer IP as 1.1.1.2 and when I configured Control Link HA1 IP address , I used a different subnet (10.1.0.0/24) , do I have to configure them with the same subnet.? I think yes? Please advice

Re: PA 2020 Active/Passive HA

rmonvon — Thu, 09 Feb 2012 16:38:29 GMT

yes, the IP address for HA1 should correspond to the IP address for the peer.

Re: PA 2020 Active/Passive HA

ncampagna — Fri, 10 Feb 2012 18:42:21 GMT

You have the option of running the firewalls' HA1 ports in the same subnet or different subnets. If they're in the same subnet, leave the Gateway in the Control Link section of the config blank. If they're in different subnets, you'll want to specify the correct Gateway address in order to achieve layer 3 connectivity.

Thanks,

Nick Campagna

Re: PA 2020 Active/Passive HA

itsecll — Tue, 14 Feb 2012 17:41:06 GMT

Thanks to all for the reply and support . Really appreciated