on 07-13-2020 12:57 PM
High Availability - HA Heartbeat Backup
If HA1 and HA1-backup are configured with data plane ports then Heartbeat backup is needed. If Management port is used as HA1 bkup then Heartbeat backup is not needed.
Why, though? What's the reason that using management ports for a Control Link makes Heartbeat Backup not needed, or put another way, why does not using a management ports for a Control Link make Heartbeat Backup advantageous or necessary?
@ChrisSutton Great question Chris.
Does anyone know if I am able to see the same status information I see on the HA Widget for the 'Heartbeat backup' up or down, via the cli as a show HA .... ... status command of some sort? I am not finding it via # show high-availability all or # show high-availability state.
I need to be able to find this information in a large batch of firewalls for an audit. Thanks.
I agree with Chris but to put his question another way:
Hi @ChrisSutton , @kevin-john ,
If you configure your HA1 to use management interface.
It doesn't make any sense to configure the same management interface for backup, right? That is why if you do that (select management for HA1 and enable "Heartbeat backup"), you will receive commit warning.
Q: Why are HA1A and HA1B Ports Data Plane ports in the first place?
A: It depends on the device you are using. Smaller devices does not have any dedicated HA interfaces (no HA1 nor HA2/hsci), for example PA-400 series, or PA-220. So if you plan to use HA on those devices, you will need to/must reserve dataplane interface for HA1 and HA2.
Q: What's the reasoning behind having all these ports in the Data Plane and then having an optional feature called Heartbeat Backup that ends up having the part of the same process occur over a Management Plane port?
A: As mentioned above "Heartbeat Backup" will use the dedicated management interface as backup path for HA heartbeats and hello packets (I am not sure if config sync is performed in this case, compared to using HA1-B)
Q: If using the Mgmt port for HA works well and never causes issues why have these dedicated HA1 ports at all and if it doesn't work well then why even support HA on platforms without the HA1 ports?
A: Dedicated HA ports are supported only on bigger devices, those that are usually used in big campus or data center (PA-3200, 5200 and above). In most of these case the management for the two peers may be in totally different networks, which means if you use mgmt for control link you will pass over some additional layer2 and layer3 devices. It make sense to have such important traffic passing over as little as possible external devices, to guarantee stable connection and performance.
Q: Wouldn't it just be easier to have Heartbeat backup enabled on by default and let the software determine if Mgmt port is being used for HA1 or HA1 Backup (simple configuration check) and if it is silently disable Heartbeat backup automatically?
A: There is such check, that is why if you apply such configuration you will receive commit warning, which let you know that heartbeat backup is ignored (which you would agree is the same as "automatically disabled"). But let me ask you - would you prefer to for the FW silently ignore the redundant configuration and leave you believe you have HA1 redundancy, you would you prefer to receive warning that you try to config HA1 backup over the same physical as the primary HA1 and you actually don't have redundancy, which could lead to split-brain?
Q: Are we simply giving the user unnecessary choice and then blaming them for making the wrong choice?
A: Absolutely not.
I would also strongly recommend you to check the following documentation, which also includes the Aux ports you mentioned - HA Ports on Palo Alto Networks Firewalls