https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228038#M65592 <P>Hello,</P><P>From my experience the failover has been pretty quick. The HA is usually without drops ( i used to vpn into an HA pair and perform upgrades and never lost VPN connection). As for OSPF its pretty quick as well. I have seen anywhere from 3-7 ping drops during the failover.</P><P>&nbsp;</P><P>I guess it all depends on your companies pain tolerance during a failover event. I think the guide was written with using as few interfaces as possible. The other thing you have to remember is asymetric routing where the routers are concerened if you are pluggin into both of them. You would then need to add weights to the connections so asymmetry doesnt happen.</P><P>&nbsp;</P><P>Just some thoughts.</P> Thu, 23 Aug 2018 14:30:15 GMT OtakarKlier 2018-08-23T14:30:15Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228025#M65587 <P>Hi,</P><P>&nbsp;&nbsp; Following topology is from PAN's design guide for A/P OSPF setup.</P><P>I wonder if it brings any benefit to connect firewall1 to Edge Router B and</P><P>Firewall 2 to Edge Router A with additional cabling run OSPF there too.</P><P>&nbsp;&nbsp; The only thing I can see is that there won't be a firewall failover but routing protocol</P><P>will re-route the traffic via RouterB if RouterA is in trouble and vice versa.</P><P>&nbsp;</P><P>thanks for your feedback in advance.</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P>&nbsp;</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ospf_design.png" style="width: 800px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/16335i0B4F4FD45792B00E/image-size/large/is-moderation-mode/true?v=v2&amp;px=999" role="button" title="ospf_design.png" alt="ospf_design.png" /></span></P> Thu, 23 Aug 2018 11:48:12 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228025#M65587 tirexxerit 2018-08-23T11:48:12Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228030#M65588 <P>With the topology in the diagram, you would need link and path monitoring to force a failover in the event of a router failure (internal or external)</P><P>&nbsp;</P><P>Your proposed physical links could remove that requirement, given you have&nbsp;enough interfaces to support it.</P><P>&nbsp;</P><P>I do not know offhand why PAN suggests this topology over your proposal.</P> Thu, 23 Aug 2018 12:01:10 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228030#M65588 JoeAndreini 2018-08-23T12:01:10Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228033#M65589 <P>Link and path can be monitored but which one would be faster and with less outage considering we follow the HA best</P><P>practices.</P><P>If OSPF is involved with dual links then there should be BFD for a quick failover in case the neighbor goes down as well.</P><P>I need to dig more and do some tests.</P><P>&nbsp;</P><P>thanks.</P><P>&nbsp;</P> Thu, 23 Aug 2018 12:16:56 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228033#M65589 tirexxerit 2018-08-23T12:16:56Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228038#M65592 <P>Hello,</P><P>From my experience the failover has been pretty quick. The HA is usually without drops ( i used to vpn into an HA pair and perform upgrades and never lost VPN connection). As for OSPF its pretty quick as well. I have seen anywhere from 3-7 ping drops during the failover.</P><P>&nbsp;</P><P>I guess it all depends on your companies pain tolerance during a failover event. I think the guide was written with using as few interfaces as possible. The other thing you have to remember is asymetric routing where the routers are concerened if you are pluggin into both of them. You would then need to add weights to the connections so asymmetry doesnt happen.</P><P>&nbsp;</P><P>Just some thoughts.</P> Thu, 23 Aug 2018 14:30:15 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228038#M65592 OtakarKlier 2018-08-23T14:30:15Z https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228040#M65593 <P>The thing is that outage during a planned upgrade is usually less than</P><P>an event causing an outage. At least from our experience:) otherwise during a planned upgrade and failover</P><P>it is mostly pretty seamless 1-2 ping loss and no session drop.</P><P>Involvement of BFD, Graceful restart greatly impacts too but I think setting which can work for one expected event</P><P>may not work for another.</P><P>Thanks for your thoughts, much appreciated.</P><P>&nbsp;</P> Thu, 23 Aug 2018 15:04:40 GMT https://live.paloaltonetworks.com/t5/general-topics/ha-active-passive-ospf-design/m-p/228040#M65593 tirexxerit 2018-08-23T15:04:40Z