https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240020#M68750 <P>Hello,</P><P>On you PAN did both the interfaces you have on the ae go down when the switch rebooted? You condition is set to ALL to both would need to go down in order for the failover to occur.</P><P>&nbsp;</P><P>Please advise,</P> Thu, 15 Nov 2018 17:35:19 GMT OtakarKlier 2018-11-15T17:35:19Z https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/239842#M68714 <P>Hello guys,</P><P>&nbsp;</P><P>I have 2 plao alto configured with HA Active/passive mode.</P><P>&nbsp;</P><P>On both firewall, I configured link monitoring on link group with ethernet 1/11 and ethernet1/13 that are aggregated on Ae1 with condition "ALL".&nbsp;Those interfaces are plugged to a switch with LACP configuration and this switch is plugged to the Intrernet Router. The objective is to monitor my internet access and trigger a failover (Make my seond (PAssive) firewall in active mode.</P><P>&nbsp;</P><P>When I reboot the switch on which my palo alto is plugged to test the failover, I lost around 30pings.</P><P>&nbsp;</P><P>Moreover, in system logs, I see&nbsp;HA Group 1: Moved from state Passive to state Non-Functional. What does that mean ? There is no failover process ? Active to passive and passive to active</P><P>&nbsp;</P><P>Maybe I don't understand very well how it works but I would like that my failover be quicker.</P><P>&nbsp;</P><P>Is that possible ?</P><P>&nbsp;</P><P>Regards,</P><P>&nbsp;</P><P>&nbsp;</P> Wed, 14 Nov 2018 16:33:18 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/239842#M68714 David7660 2018-11-14T16:33:18Z https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240020#M68750 <P>Hello,</P><P>On you PAN did both the interfaces you have on the ae go down when the switch rebooted? You condition is set to ALL to both would need to go down in order for the failover to occur.</P><P>&nbsp;</P><P>Please advise,</P> Thu, 15 Nov 2018 17:35:19 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240020#M68750 OtakarKlier 2018-11-15T17:35:19Z https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240212#M68845 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/100455">@David7660</a>,</P><P>So the AE still needs to form on the passive device to get things functional again. Depneding on your platform you can actually setup pre-negotiation on the LACP links to make things a bit faster.&nbsp;</P><P>On the AE interface select the LACP tab and select the 'Enable in HA Passive State' and commit the configuration. This will allow LACP communication on the passive device so failover is drastrically faster. Just make sure that you don't also have 'Same System MAC Address for Active-Passive HA' option enabled, as this wouldn't work with pre-negotiation.&nbsp;</P> Fri, 16 Nov 2018 22:53:04 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240212#M68845 BPry 2018-11-16T22:53:04Z https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240484#M68903 <P>Thanks to you, every options you mentionned are correctly defined on my palo alto.</P><P>&nbsp;</P><P>Finaly, we think that's a routing problem with our ISP.</P><P>&nbsp;</P><P>To be confirmed with him.</P><P>&nbsp;</P><P>Thanks <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Tue, 20 Nov 2018 09:33:16 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-link-monitoring-too-long/m-p/240484#M68903 David7660 2018-11-20T09:33:16Z