cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HA Link and Path Monitoring

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
JonHill
JonHill
L1 Bithead
‎01-14-2019 05:32 AM
‎01-14-2019 05:32 AM

HA Link and Path Monitoring

We've configured HA Active\Passive on a pair of 5250's running PAN-OS 8.1.5 and it works a treat and pre-emption also works as expected.

 

I've configured Link monitoring so if we get an HA failure if the trusted links fail which works and it fails over to the passive as expected but when the links come back it doesn't fail back again to the active unit.

 

Does Pre-emption work with Link and Path monitoring and if it does how is it configured?

 

Any help would be much appreciated.

 

Thanks

 

Jon

0 Likes
Reply
reaper
Community Manager
Community Manager
‎01-14-2019 08:46 AM
‎01-14-2019 08:46 AM

Re: HA Link and Path Monitoring

hi @JonHill

 

Pre-emption will wait an amount of time after a failover and then try to 'fall back' to the original setup

If after a configurable amount of retries the active device still has link monitor failures, the passive device will take over permanently until you manually fail over


Help the community: Like helpful comments and mark solutions
Reaper out
Reply
Otakar.Klier
Otakar.Klier
L7 Applicator
‎01-14-2019 08:46 AM
‎01-14-2019 08:46 AM

Re: HA Link and Path Monitoring

Hello,

I take it you have it preemption enabled on both devices?

 

Preemptive—Enables the higher priority firewall to resume active (active/passive) or active-primary (active/active> operation after recovering from a failure. The Preemption option must be enabled on both firewalls for the higher priority firewall to resume active or active-primary operation upon recovery following a failure. If this setting is off, then the lower priority firewall remains active or active-primary even after the higher priority firewall recovers from a failure.
Reply
JonHill
JonHill
L1 Bithead
‎01-15-2019 12:42 AM
‎01-15-2019 12:42 AM

Re: HA Link and Path Monitoring

As you say it was down to the speed at which I re-enabled the interfaces that it had permanently stayed with the peer.

 

Is there anyway of changing these timers and where do I find them?

 

Thanks 

0 Likes
Reply
MP18
MP18
L4 Transporter
‎02-15-2019 01:03 PM
‎02-15-2019 01:03 PM

Re: HA Link and Path Monitoring

for this we should have pre enabled on both active and passive right.

Our Active PA has priority 80 and passive has 100.

 

Link Monitoring is only configured on Acitve PA.

 

With this config  when link on Active PA is down and passive should takover the active role untill link on Active PA is up right?

0 Likes
Reply
reaper
Community Manager
Community Manager
‎02-15-2019 01:35 PM
‎02-15-2019 01:35 PM

Re: HA Link and Path Monitoring

The timers can be changed in the HA configuration

@MP18 pre-emption is a timing mechanism that will try to restore HA after a certain amount of time.
After the timer runs out the cluster will try to fail back, if the downed interface persists the cluster will fail again this for 3 consecutive tries and then the cluster will permanently fail to the secondary device till an admin fixes the problem and manually fails back


Help the community: Like helpful comments and mark solutions
Reaper out
Reply
MP18
MP18
L4 Transporter
‎02-15-2019 01:37 PM
‎02-15-2019 01:37 PM

Re: HA Link and Path Monitoring

so when link Monitoring interface comes up then the active PA  which is currently passive will take over right?

How does Passive PA which becomes active will know if Link monitor interface comes up ?

Via HA1 link?

0 Likes
Reply
reaper
Community Manager
Community Manager
‎02-15-2019 11:19 PM
‎02-15-2019 11:19 PM

Re: HA Link and Path Monitoring

No it will not
Pre-emption uses timers, the cluster does not fail back when a monitor returns to normal

Help the community: Like helpful comments and mark solutions
Reaper out
Reply
Highlighted
MP18
MP18
L4 Transporter
‎02-16-2019 12:05 AM
‎02-16-2019 12:05 AM

Re: HA Link and Path Monitoring

1>So it means when Link Monitored Interface on the Passive PA comes back up then PAssive PA  has no way to know that

even through HA1 then as Prempt times is expired also right?

 

2>So in this case user has to do the manual failover like PA which become Active we should suspend it right?

 

3>how much is preemt timer? before newly Active PA  stops checking   with Passive PA?

0 Likes
Reply
MP18
MP18
L4 Transporter
‎02-17-2019 02:14 PM
‎02-17-2019 02:14 PM

Re: HA Link and Path Monitoring

Hi Reaper,

 

IF you can answer the questions please?

This stuff I never know before

 

Best Regards

Mike

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2019 - Palo Alto Networks