Active/Active failover triggers for multiple Vwire?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Active/Active failover triggers for multiple Vwire?

L1 Bithead

Hello,

 

I've been looking for some time docs which closely describe PA Active/Active setup for only Vwire interface mode (multiple defined Vwire's), especially failover triggers like a link or path monitoring, but no luck. I decided to start with this discussion in order to clarify some unclear questions myself, so let me briefly describe the following scenario.

 

Customer wants to replace the old XGS IPS which transparently inspects traffic with many defined interface pairs. This is a single device deployment and this XGS has a fail open circuit that passes traffic through interfaces in case of total device failure or power outage, but then without inspection. 

We discuss and decided to deploy PA transparently as old XGS (not want to replace neighbor HA routers and change any existing conf on L3 level). Then multiple Vwire configurations are the logical scenario, but from HA A/P point of view, they won't to outage of one Vwire, be a trigger for failover to the passive device, where other Vwires are up.

Then we decided to go with Active/Active configuration but now, we are concerned about how to configure link monitoring, or not to configure any failover trigger at all? 

Generally, they want to leave neighbor L3 HA devices to decide about failover and surviving path and leave PA to just pass traffic to Vwire on a device where the path and link are recovered. 

 

Example, if PA has configured 5 Vwires (5 interface pairs), if one Vwire goes down (router, SW or port fails), should failover link monitoring must be configured in order to recover only that Vwire on the second active device/interface pair? Just to mention that every Vwire on one PA active device has different neighbors like L3 and SW and their HA passive pair on other active PA (see example bellow).

router1Act--------PA1Active(Vwire1)-------------SW1stack

router1Psv-------PA2Active(Vwire1)--------------SW1stack

 

router2Act--------PA1Active(Vwire2)--------------SW2stack

router2Psv--------PA2Active(Vwire2)--------------SW2stack

.

.

router5Act--------PA1Active(Vwire5)---------------SW5stack

router5Psv---------PA2Active(Vwire5)--------------SW5stack

 

What would be the behavior if neither link nor path monitoring be configured on devices in such scenario?

 

2 REPLIES 2

Community Team Member

Hi @Tician ,

 

Thanks for your post. What are you hoping to achieve with an A/A v-wire deployment with the Palo's while your routers are in A/P? 

V-wire will forward packets from one v-wire link to the other. 

 

 

Recommended Discussions

HA Path Monitoring in v-wire

Active-Active in v-wire

LIVEcommunity team member
Stay Secure,
Jay
Don't forget to Like items if a post is helpful to you!

Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Hi @JayGolf ,

 

with A/A vwire PA we try to not failover the whole device to the passive node if only one vwire fails (every vwire has a separate set of neighbor A/P routers). In that setup, we just want to neighbor routers carry about failover triggers, not on PA devices.

  • 1651 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!