A/A HA changes - looking for information on procedures

Announcements
Attention: The LIVEcommunity is experiencing an interruption with videos in some areas. We apologize for any inconvenience this may cause. Thank you for your patience as we work towards a solution to restore videos.
Reply
Highlighted
L0 Member

A/A HA changes - looking for information on procedures

Hi - looking to make some changes to the HA configuration between 2x PA 5000s.

 

First change: an HA3 link to an AE link on different interfaces in an A/A pair of 5000s.

I'm wondering if there is a procedure anywhere for this? What would happen to an A/A pair if HA3 were to be reconfigured by panorama? Connections are already in place just need configuring.

 

Is it recommended to remove Active/Active during the configuration? Is there a procedure for that anywhere :)

 

Any help would be greatly appreciated.

 

Thanks

 

Sam


Accepted Solutions
Highlighted
L7 Applicator

Re: A/A HA changes - looking for information on procedures

This is a non-standard change so I don't think you will find it documented.  And I suspect this will be service affecting and / or require suspending a node in the cluster.

 

For these types of activities, I generally open a support case.  This way the MOP can be reviewed by some senior engineers and the outage scenario fully understood.

 

PA will also schedule a time to be live with you on a call from TAC during your maintenance window for these types of changes.  This speeds the process and has them on standby if the MOP does not work out for some reason.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: A/A HA changes - looking for information on procedures

What is your reason for using A/A? Asymmetric routing or Palos connected to another firewall cluster or something else?

HA3 is used to transmit packets between firewalls.

All packets belonging to same session are analysed by same firewall. If packet comes to firewall and session owner is other firewall then HA3 is used to pass packet over.

If you disconnect HA3 then you will disturb your connections anyway.

 

If you don't have specific requirement to have both boxes running all the time then suspend one and see if you can change HA3 interface.

If not then disable HA temporarily and make your change.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI
Highlighted
L7 Applicator

Re: A/A HA changes - looking for information on procedures

This is a non-standard change so I don't think you will find it documented.  And I suspect this will be service affecting and / or require suspending a node in the cluster.

 

For these types of activities, I generally open a support case.  This way the MOP can be reviewed by some senior engineers and the outage scenario fully understood.

 

PA will also schedule a time to be live with you on a call from TAC during your maintenance window for these types of changes.  This speeds the process and has them on standby if the MOP does not work out for some reason.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

View solution in original post

Highlighted
L0 Member

Re: A/A HA changes - looking for information on procedures

Hi Both thanks for your answers.

 

I'll probably go down the road of raising a support call to assist in this.

 

If I learn the procedure, and remember I'll post it back here :)

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!