topic Re: HA down PA-220 in General Topics

HA down PA-220

ChrisCon — Sat, 12 Jun 2021 07:23:39 GMT

I've a pair of PA-220 configured as cluster. After power off - on HA is down. But I can connect to both firewalls via https & ssh.
Active fw1 shows that HA ports 7 & 8 are down (red in GUI). On passive firewall fw2 all ports are grey.
But the real strange thing is, when looking into running-config (CLI), on active fw1 all the HA config is missing.
On passive (ok, not really passive, because HA is down) fw2 all the HA config in running-config is shown (CLI).
But when I enter the command "show high-availability state" fw2 shows "HA not enabled".
And "show interface all" gives me an error.
For me it would make sense, if fw1 would show this error, because of missing part in running-config.
Connections are working, I can reach all the stuff behind the firewall.

user@fw2> show high-availability state
HA not enabled

user@fw2> show interface all
Server error : An error occured. See dagger.log for information.

user@fw1(active)> show high-availability state
Group 1:
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 4 days)

user@fw1(active)> show interface all

total configured hardware interfaces: 9
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/2 17 1000/full/up 00:1b:17:
ethernet1/3 18 1000/full/up 00:1b:17:
ethernet1/5 20 1000/full/up 00:1b:17:
ethernet1/7 22 ukn/ukn/down(autoneg) 34:e5:ec:
ethernet1/8 23 ukn/ukn/down(autoneg) 34:e5:ec:

Is there a change to bring up the HA from remote (site is far, far away) with only minimum interrupt (reboot)?
Thanks.

Re: HA down PA-220

aleksandar.astardzhiev — Sat, 12 Jun 2021 19:42:03 GMT

Hi @ChrisCon ,

It sound like hardware issue for me...Have you tried to power cycle (reboot) it again?

Re: HA down PA-220

MP18 — Sat, 12 Jun 2021 22:38:17 GMT

@ChrisCon

Check System logs in GUI and from CLI

Check below logs

less mp-log ha_agent.log

Also troubleshoot why HA ports are down?

Check Physical connections.

IF HA is enabled on both firewalls then if physical interfaces are up again then your issue should be fixed.

Regards

Mahesh

Re: HA down PA-220

BPry — Sun, 13 Jun 2021 04:01:35 GMT

@ChrisCon,

I agree with @aleksandar.astardzhiev that this is likely a hardware issue, but since you're also getting server errors it could also easily be a software issue that can be resolved with a reload of the firewall.

I would however actually caution against reloading either firewall until you have someone on-site that can actually troubleshoot what is going on. The reason for this is simply that restarting the fw2 and/or fw1 while something is in this sort of state could actually cause a split-brain situation. Since the network is "functional" and this isn't actively causing any issues outside of the lose of HA, I wouldn't want to introduce something that actually ends up effecting traffic by attempting to fix the issue until I'm on-site with the hardware.