High Availability Active/ Standby per Virtual System

Reply
Highlighted
L2 Linker

High Availability Active/ Standby per Virtual System

 Hello,

As you may know, PA HA is per physical boxes only. If you have 2 boxes running virtual systems and you want to have HA, you can't have VSYS1 on box1 active and VSYS2 on box1 standby. Box1 must be active on all VSYS on it or Standby on all VSYS.

 

There is a work around for this limitation with configuration sync. Lets assume we have 2 PA boxes and we want to have the following:

 

Box1: device id 0

VSYS1 active

VSYS2 standby

Box2: device id 1

VSYS1 standby

VSYS2 active

 

We can configure Active/ Active High Availability between the 2 boxes and use Floating IPs with periorities to make FIP1 (10.2.28.1 which is part of VSYS1) active on box1 and FIP2(10.2.29.1 which is part of VSYS2) active on box2 as below.

 

Network Configuration:

e1/1, e1/2 is part of VSYS1

e1/3, e1/4 is part of VSYS2

 

e1/1 (Inside) will have an IP 10.2.28.2 on box1 and 10.2.28.3 on box2

e1/2 (Outside) will have an IP 10.2.30.2 on box1 and 10.2.30.3 on box2

e1/3 (Inside) will have an IP 10.2.29.2 on box1 and 10.2.29.3 on box2

e1/4 (Outside) will have an IP 10.2.31.2 on box1 and 10.2.31.3 on box2

 

Virtual Router VR1 (e1/1, e1/2) is part of VSYS1

Virtual Router VR2 (e1/3, e1/4) is part of VSYS2

 

 

Virtual Address on e1/1 is 10.2.28.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby)

Virtual Address on e1/2 is 10.2.30.1 with periority 0 on device 0 (Active) and periority 255 on device 1 (Standby)

Virtual Address on e1/3 is 10.2.29.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active)

Virtual Address on e1/4 is 10.2.31.1 with periority 255 on device 0 (Standby) and periority 0 on device 1 (Active)

 

 

 

 

PA.PNG

 

Assuming that users can't change their gateway manually, Subnet 10.2.28.0/24 is now active on VSYS1 on box1 while subnet 10.2.29.0/24 is now active on VSYS2 on box 2.

 

We will need to use a router (R1) to route traffic between VSYS1 and VSYS2, if we are going to use static routing, scenario should be like that:

1_Enable VR Sync in HA>Active/ Active Tab (Enabled by default)

2_Add default route on VR1 to route traffic to R1

3_Add default route on VR2 to route traffic to R1

4_On R1, add 2 static routes for each subnet with different metric

routes for subnet 10.2.28.0/24:

-route to 10.2.30.1 with metric 10

-route to 10.2.31.1 with metric 20

routes for subnet 10.2.29.0/24:

-route to 10.2.31.1 with metric 10

-route to 10.2.30.1 with metric 20

 

In case we need to use Dynamic Routing (OSPF):

1_Don't use floating IP for outside interfaces e1/2, e1/4.

2_Disable VR sync. (now we have 4 different routers on the 2 boxes)

3_Increase the metric of subnet 10.2.28.0/24 on VR1, VSYS1 on box 2 in OSPF configuration.

4_Increase the metric of subnet 10.2.29.0/24 on VR2, VSYS2 on box 1 in OSPF configuration.

 

 

References:

1_HA-Active-Active-Tech-Note

https://live.paloaltonetworks.com/t5/Documentation-Articles/Configuring-Active-Active-HA-PAN-OS-4-0/...

2_How to Configure OSPF

https://live.paloaltonetworks.com/t5/Configuration-Articles/How-to-Configure-OSPF/ta-p/52283?attachm...

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!