Is Graceful shutdown a good idea to invoke Failover ?

Reply
Highlighted
L1 Bithead

Is Graceful shutdown a good idea to invoke Failover ?

Hello,

 

Next to a project that I have to acheive in some days, i've been searching for a answer to my questions that I haven't found.
That why I try here now and I hope you will be able to assist me :)

 

Due to a UPS maintenance, I will have to unplug our two Palo Alto from power. We have two Power Domain, so one PA is on a PD and the other one is on another PD. 

I would like to be the cleanest possible to provoke the failover from the Active PA (that I will have to unplug from power) to the other PA that will stay in service during this time. I've been thinking that making a Graceful shutdown of the Active PA before unplugging it from power can be a good idea.

 

My question(s) :

- Is the graceful shutdown a good idea ?

- Will the passive unit take the lead when I will make the graceful shutdown executed on the active ?

 

In advance many thanks and feel free to tell me if i'm not clear.
Have a nice day !
Franck

Community Manager

Re: Is Graceful shutdown à good idea to invoke Failover ?

Hi Franck

 

A gracefull shutdown will certainly work, especially if you're going to need to power down anyway. Alternatively you can suspend the active device

admin@myNGFW> request high-availability state suspend 

In both cases the passive unit will assume the active role (do a quick 'show session all' on the passive unit to ensure it is properly receiving session information from the active peer)


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Is Graceful shutdown à good idea to invoke Failover ?

Wow, that was quick, thanks you :)

 

Ok so now I feel more safe, also thanks you for your alternative.
A very last question : Is there a best practice regarding my kind of operation ? (To have the smoothier experience possible and the less disruption time possible)

Or what we talk is already sufficient ?

Thanks again for your quickness and good afternoon !

Community Manager

Re: Is Graceful shutdown à good idea to invoke Failover ?

Hi Franck

 

I guess your situation leans closely to the PAN-OS upgrade process for which there is a best practices : https://live.paloaltonetworks.com/t5/Featured-Articles/Best-Practices-for-PAN-OS-Upgrade/ta-p/111045

 

similar steps, using the suspend method

 

 

what physically happens when the active device is suspended or shut down:

- the active should already have synced it's ctive sessions over to the passive device so it can continue processing existing sessions

- the passive device brings its interfaces online

- once interfaces are up, sends out a gratuitous ARP to inform all neighbours it is now in charge of the MAC addresses associated with your cluster

- neighbours start sending all packets to passive device

- passive device starts creating new sessions for all SYN packets received, continues processing packets for existing sessions


Help the community: Like helpful comments and mark solutions
Reaper out
L1 Bithead

Re: Is Graceful shutdown à good idea to invoke Failover ?

Perfect ! Thanks a lot again reaper !

L6 Presenter

Re: Is Graceful shutdown à good idea to invoke Failover ?

If you have GUI access and prefer to use it the same command via CLI is also in the GUI

 

 

HA_Command.JPG

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!