This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew

High Bandwidth on Broker VM: Cluster Mismatch (v29 vs v28) & P2P

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

High Bandwidth on Broker VM: Cluster Mismatch (v29 vs v28) & P2P

QuestionAb
L1 Bithead

‎01-28-2026 11:59 AM

Hi everyone,

I'm facing high bandwidth usage on my Primary Broker VM. I need to validate if my diagnosis is correct:

The Setup:

  • Cluster: HA Pair. Node 1 is v29.0.77 (Healthy). Node 2 is v28.0.99 (Service "Local Agent Settings" is Red/Down).

  • Policy: Download Source = Broker VM (P2P is currently disabled).

My Questions:

  1. Cluster: Does the version mismatch cause the load balancing to fail, forcing Node 1 to handle 100% of the traffic?

  2. Agent Logic: If "Broker VM" is selected in the policy, do agents always prioritize the Broker over the Cloud (Internet), even if they have direct Internet access?

I plan to enable P2P and upgrade Node 2 to match versions. Is this the right path?

Thanks!

0 Likes Likes
1 REPLY 1

susekar
L3 Networker

‎01-29-2026 09:35 AM

Hello @QuestionAb ,

 

Greetings for the day.

1. Cluster Load Balancing and Node Failure

Does the version mismatch cause load balancing to fail, forcing Node 1 to handle 100% of the traffic?

Native Load Balancing
The Broker VM cluster feature is designed for high availability and failover redundancy, but it does not provide native load balancing to actively distribute traffic across nodes. If active/active traffic distribution is required, it must be implemented using an external load balancer.

 

Failover Logic
When a node in the cluster is marked as Red/Down, the HA mechanism shifts all responsibilities to the healthy node. Since Node 2’s Local Agent Settings service is down, it cannot serve agents, which effectively forces Node 1 to handle all agent traffic.

 

Version Mismatch
Rolling upgrades are supported to minimize downtime, but running cluster nodes on different versions for an extended period can cause synchronization inconsistencies. Version v28.0.99 is associated with a known issue that causes repeated content downloads and excessive bandwidth usage. This behavior can further increase the load on the remaining healthy node.

2. Agent Logic and Download Priority

If “Broker VM” is selected in the policy, do agents always prioritize the Broker over the Cloud?

Priority Order
When Broker VM is selected as a download source, the Cortex XDR agent follows this hierarchy:
P2P → Broker VM → Cortex Server (Cloud)

 

Prioritization Behavior
If P2P is disabled, agents will attempt to download content from the Broker VM first. They will fall back to the Cloud only if they cannot connect to the Broker VM or if the Broker returns an error (for example, authentication, authorization, or SSL-related failures).

 

Direct Server Access
If Direct Server Access is enabled in the agent settings profile, agents may bypass the Broker VM and connect directly to the Cortex cloud if they detect connectivity or caching issues with the Broker.

3. Recommended Path

Is enabling P2P and upgrading Node 2 the right path?

Yes, this is the recommended approach.

Upgrade Node 2
Upgrading Node 2 from v28.0.99 is critical due to the known content re-download issue that causes excessive bandwidth usage. Aligning Node 2 with Node 1 on v29.x will also restore proper HA behavior and reduce synchronization risks.

Enable P2P
Enabling Peer-to-Peer (P2P) significantly reduces the load on the Broker VM by allowing agents to share content packages within the same local network segment.

Recommended Troubleshooting Steps

  1. Verify caching prerequisites
    Ensure Node 1 has a valid FQDN and properly configured SSL certificates, as these are required for Broker VM content caching.

  2. Check disk space
    Insufficient space on the /data partition can cause content download failures and abnormal bandwidth usage.
    Run:

    df -h /data

  3. Monitor active connections
    Review active agent connections on Node 1. Note that the Local Agent Settings applet only shows connections that are actively transferring data at that exact moment, not total registered agents.

If you feel this has answered your query, please let us know by clicking like and on "mark this as a Solution".

 

Happy New year!!

 

Thanks & Regards,
S. Subashkar Sekar

0 Likes Likes
  • 1699 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2026 - Palo Alto Networks