How does link monitoring work in High Availability ?

Reply
Highlighted
L0 Member

How does link monitoring work in High Availability ?

Hi All,

 

I am working on the following HA design -

 

(Vendor - PAN) 40 Gig PRD Firewalls Topology (1).jpg

 

 

 

As you can see above, each firewall will have two interfaces connected to Juniper routers on the inside and outside zones. The firewall peers will also be directly connected to each other for the HA links. 

 

The plan is to use Active/Passive deployment and I am trying to figure out if this design can be achieved without any Layer 2 switches.  The main question I have is around exchange of hello messages and link monitoring. How do the firewall peers exchnage these messages if there is no L2 switch in the topolocy? Is that done over HA links?

 

Would this design not work due to the missing L2 switch?

L7 Applicator

Re: How does link monitoring work in High Availability ?

Link monitoring and path monitoring are about watching the connection status between the PA and the connected device.  This is not about monitoring the status of the HA pair. This does not matter what the connected device is.

 

So when you configure link monitoring you are watching for the link status between the PA and the other device going link down.  

 

Path monitoring is using the selected link to run the ping test and can detect failures upstream of the actual link failure.  The link can be link up but not able to reach the internet for example because of failures beyond the link itself.  But this is testing the path to the rest of the network or upstream and not the HA status of the two devices.

 

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L0 Member

Re: How does link monitoring work in High Availability ?

Thans Steve. But how is the PAN firewa exchanging the link status information? Are they running any tests across those interfaces or do they simply exchange the link up/down status over the HA links?
L7 Applicator

Re: How does link monitoring work in High Availability ?

All exchanges of information between HA members if via the HA links.

 

The tests are run on the firewall connected to the link under test.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
L2 Linker

Re: How does link monitoring work in High Availability ?

Hi. i have this issue:
i have in my PA active firewall several interfaces within link monitoring. i want to know which is the normal behavior if i config the same links on the passive firewall. my real question is: Do I must to configure the same link monitoring on both firewalls or just i need to configure this on the active firewall
i am so confused, your help and comments will be very apreciated
T iA

L2 Linker

Re: How does link monitoring work in High Availability ?

Hi,

 

Configuring it on the active device should be OK as this will be replicated to the standby device.

 

Thanks

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!