https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247404#M70392 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>&nbsp;wrote:<BR /><P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a></P><P>&nbsp;</P><P><SPAN>HA is configured directly from one firewall to another without any network devices in between.&nbsp;We have four cables between the firewalls - two of them are used as primary HA links (Control&nbsp;+ Data), and two ethernet interfaces are configured as backup HA interfaces (one for Control backup, and one for Data link backup, interfaces are not tagged).</SPAN></P><P>&nbsp;</P><P>We manually suspend the primary firewall to fail-over to the secondary, then make the first one active again, and suspend the secondary to fail-over back primary.</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>It makes no sense what-so-ever that you would have anything other than a milisecond failover on firewalls that are directly connected to each other.&nbsp; Let alone multi-minute outages.</P><P>&nbsp;</P><P>My deployment is acorss an OTV WAN link hundreds of miles away and our failover is instaneous.&nbsp;</P> Thu, 24 Jan 2019 18:44:55 GMT Brandon_Wertz 2019-01-24T18:44:55Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246895#M70287 <P>Hello,</P><P>&nbsp;</P><P>Using 3020 HA pair.&nbsp;We are currently having two issues regarding fail-over:</P><OL><LI>Fail-over time from primary to secondary takes about two minutes. Fail-over back to the primary takes on average 10 minutes. This seems excessive for a production environment.</LI><LI>Once failed-over from primary to secondary, our externally-facing websites become inaccessible from the outside.&nbsp;</LI></OL><P>&nbsp;</P><P>Both the issues have been observed since PAN-OS 7.1.10. Gone through several iterations of firmware upgrade and currently on 8.1.3, however, no change noticed.</P><P>&nbsp;</P><P>Next device on the network after the firewalls are a Cisco Nexus stack.</P><P>&nbsp;</P><P>Monitor Fail Hold Down Time (min)=1</P><P>Monitor Hold Time (ms)=3000</P><P>&nbsp;</P><P>Any idea what is going on here?</P> Tue, 22 Jan 2019 05:43:26 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246895#M70287 FarzanaMustafa 2019-01-22T05:43:26Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246960#M70302 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>&nbsp;wrote:<BR /><P>&nbsp;</P><P>&nbsp;</P><P>Next device on the network after the firewalls are a Cisco Nexus stack.</P><P>&nbsp;</P><P>Monitor Fail Hold Down Time (min)=1</P><P>Monitor Hold Time (ms)=3000</P><P>&nbsp;</P><P>Any idea what is going on here?</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>Nexus "stack?"&nbsp; Can you ellaborate on the network architecure and how your HA interfaces are incorporated into the network?</P><P>&nbsp;</P><P>The HA interfaces should be in a L2 VLAN, with no other ports anywhere on your network in that VLAN.&nbsp; The HA interfaces themselves should just be normal access VLANs.</P> Tue, 22 Jan 2019 14:39:58 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246960#M70302 Brandon_Wertz 2019-01-22T14:39:58Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246973#M70307 <P>Hello,</P><P>What are you using as your test? Are you putting the active into suspend? Are you using ACI?</P><P>&nbsp;</P><P>Please advise,</P> Tue, 22 Jan 2019 16:24:08 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/246973#M70307 OtakarKlier 2019-01-22T16:24:08Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247257#M70364 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a></P><P>&nbsp;</P><P><SPAN>HA is configured directly from one firewall to another without any network devices in between.&nbsp;We have four cables between the firewalls - two of them are used as primary HA links (Control&nbsp;+ Data), and two ethernet interfaces are configured as backup HA interfaces (one for Control backup, and one for Data link backup, interfaces are not tagged).</SPAN></P><P>&nbsp;</P><P>We manually suspend the primary firewall to fail-over to the secondary, then make the first one active again, and suspend the secondary to fail-over back primary.</P> Thu, 24 Jan 2019 01:55:47 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247257#M70364 FarzanaMustafa 2019-01-24T01:55:47Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247395#M70387 <P>Hello,</P><P>Are your Nexus in vPC? I have a similar setup and my failover is almost instantanious. Maybe open a tac case to make sure everything is running as it should?</P><P>&nbsp;</P><P>Regards,</P> Thu, 24 Jan 2019 17:17:47 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247395#M70387 OtakarKlier 2019-01-24T17:17:47Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247404#M70392 <BLOCKQUOTE><HR /><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/98673">@FarzanaMustafa</a>&nbsp;wrote:<BR /><P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/27580">@OtakarKlier</a>&nbsp;and&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/5300">@Brandon_Wertz</a></P><P>&nbsp;</P><P><SPAN>HA is configured directly from one firewall to another without any network devices in between.&nbsp;We have four cables between the firewalls - two of them are used as primary HA links (Control&nbsp;+ Data), and two ethernet interfaces are configured as backup HA interfaces (one for Control backup, and one for Data link backup, interfaces are not tagged).</SPAN></P><P>&nbsp;</P><P>We manually suspend the primary firewall to fail-over to the secondary, then make the first one active again, and suspend the secondary to fail-over back primary.</P><HR /></BLOCKQUOTE><P>&nbsp;</P><P>It makes no sense what-so-ever that you would have anything other than a milisecond failover on firewalls that are directly connected to each other.&nbsp; Let alone multi-minute outages.</P><P>&nbsp;</P><P>My deployment is acorss an OTV WAN link hundreds of miles away and our failover is instaneous.&nbsp;</P> Thu, 24 Jan 2019 18:44:55 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/247404#M70392 Brandon_Wertz 2019-01-24T18:44:55Z https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/249346#M70906 <P>Hi All,</P><P>&nbsp;</P><P>Just wanted to let you all know that TAC team has assisted on this issue. Below files/info were collected and after analyzing them the conclusion was:&nbsp;<SPAN>Seems to be an external issue, PA ARP requests/replies are not delivered to end host.</SPAN></P><P>&nbsp;</P><P>-Packet capture for Non-IP traffic on both the firewalls. Perform this packet capture while performing the failover. We want to see whether new primary firewall is sending GARP immediately or not.<BR />-Keep a continuous ping running through HA and include this in packet filter for above capture. One filter will capture all non-IP traffic and other filter would be for ping.<BR />-Perform a failover, write down timestamp, time required to recover and minutes of outage.<BR />-Collect packet captures, session output for ping(from host machine), global counters.</P><P>-Tech Support files</P><P>&nbsp;</P><P>Closing this post now. Client will check&nbsp;connected switches and devices to understand why ARP replies/requests are not delivered to end host.</P> Thu, 07 Feb 2019 21:49:13 GMT https://live.paloaltonetworks.com/t5/general-topics/failover-issues-with-active-passive/m-p/249346#M70906 FarzanaMustafa 2019-02-07T21:49:13Z