Logical Shutdown of an Interface Does Not Cause HA Failover
39275
Created On 09/25/18 19:52 PM - Last Modified 12/20/19 18:22 PM
Symptom
- During a High Availability (HA) failover test that involves the link monitor (failure condition set to 'any'), an interface belonging to the link monitor group is manually shut down from the Web GUI or CLI.
- In this scenario, the HA configuration of Palo Alto Networks devices did not fail over to the passive device.
Environment
- PA-Firewall
- HA Configuration with Link Monitoring interface failure condition of (any)
Cause
A failover does not occur if an interface belonging to the link monitor group is forced down by a user from the Web GUI or CLI.
The link monitoring only happens on interfaces that are logically up, interfaces configured to be logically shut down are excluded from link monitoring.
If the user configures a port down, then the link monitoring does not trigger an action.
Resolution
Additional Information
- This situation also applies when an interface is logically shutdown on the passive Firewall, it will not be possible to see an entry on the system logs of the active Firewall since no action is being triggered, however the interface will remain down on both sides due to HA sync.
- Only after bringing back the interface on the passive Firewall up, it will be possible to perform a link check on the active and display entries in the system logs regarding interface down/up.