I have a pair of PA-4020's in HA active/passive. I just did a commit (which went fine, except the synchronization failed and I had to push the config to the passive peer). I then looked at the passive and the information in the Resource Information widget on the Dashboard is a little suspicious. Again, this is immediately after a successful commit and a manual synchronization to the passive (I did not ssh in to look; everything is from the GUI):
Active: Management Plane = 63%; Data Plane = 32%; Session Count = 69,000(ish)
Passive: Management Plane = 85%; Data Plane = 1%; Session Count = 101,000(ish)
I verified that the Passive did not kick in as active (the last log entries on the passive are from 6 days ago).
At this moment (probably 10 minutes after the synchronization completed as far as I could see):
Active: Management Plane = 15%; Data Plane = 32%; Session Count = 62,000(ish)
Passive: Management Plane = 3%; Data Plane = 1%; Session Count = 95,000(ish)
Shouldn't the session count on the Passive be either 0(ish) or the same as the Active?
Solved! Go to Solution.
IMHO you should have the same sessioncount on both units because you have sessionsync between active and passive unit, but the dataplane utilization should be low until the failover occurs.
But I cant really see any good reason for why the passive unit would have a higher session count than the active unit.
I imagine that even session closed are being synchronized between the units unless some lazy mode is being used but that would be odd that a firewall would allow already closed sessions after a failover (for example if PAN choosed to not sync session close and let the internal timeout timers take care of the cleaning of the sessiontables of the passive unit).
That's what I'd expect as well, which is why I posted the question. It's possible the passive device is holding sessions "open" longer, to ensure they are actually closed in the event of a failover, but it seems odd.
I can understand the high utilization for the management plane during a synch, but I would have expected it to come down much faster. It's also possible the unit is still doing a considerable amount of processing, even though the dashboard *says* everything is done.
If you can please ssh to both active and passive and from the CLI command please type the following command.
1. show system resources
Please look for mgmtsrvr and devsrvr process and see what the VIRT memory colum reads.
Our development team is currently investigating a issue with a memory leak issue.
If the VIRT memory is over 900MB that would be an indication that you might be running into a memory leak issue.
Today they only want to release the memory pool back is to restart these services.
I would recommend that you call into support so we can further trouble shoot what you are seeing.
It's normal for the passive member to have more sessions than the active.
What causes this is the active member removes and clears out the sessions as they time out or become inactive, the passive device doesn't do this by design. If a failover were to occur, the new active member would age out the sessions and clear them.
I believe Al has addressed your other issues concerning the passive member not logging or becoming active.
i got the same problem from our customer, but their situcation is active unit have 10,000 session count, but the passive unit got the 160,000 sessions, so anyone can tell me how to resolve this issue? thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!