10-13-2022 02:53 PM
Hello,
I've been looking for some time docs which closely describe PA Active/Active setup for only Vwire interface mode (multiple defined Vwire's), especially failover triggers like a link or path monitoring, but no luck. I decided to start with this discussion in order to clarify some unclear questions myself, so let me briefly describe the following scenario.
Customer wants to replace the old XGS IPS which transparently inspects traffic with many defined interface pairs. This is a single device deployment and this XGS has a fail open circuit that passes traffic through interfaces in case of total device failure or power outage, but then without inspection.
We discuss and decided to deploy PA transparently as old XGS (not want to replace neighbor HA routers and change any existing conf on L3 level). Then multiple Vwire configurations are the logical scenario, but from HA A/P point of view, they won't to outage of one Vwire, be a trigger for failover to the passive device, where other Vwires are up.
Then we decided to go with Active/Active configuration but now, we are concerned about how to configure link monitoring, or not to configure any failover trigger at all?
Generally, they want to leave neighbor L3 HA devices to decide about failover and surviving path and leave PA to just pass traffic to Vwire on a device where the path and link are recovered.
Example, if PA has configured 5 Vwires (5 interface pairs), if one Vwire goes down (router, SW or port fails), should failover link monitoring must be configured in order to recover only that Vwire on the second active device/interface pair? Just to mention that every Vwire on one PA active device has different neighbors like L3 and SW and their HA passive pair on other active PA (see example bellow).
router1Act--------PA1Active(Vwire1)-------------SW1stack
router1Psv-------PA2Active(Vwire1)--------------SW1stack
router2Act--------PA1Active(Vwire2)--------------SW2stack
router2Psv--------PA2Active(Vwire2)--------------SW2stack
.
.
router5Act--------PA1Active(Vwire5)---------------SW5stack
router5Psv---------PA2Active(Vwire5)--------------SW5stack
What would be the behavior if neither link nor path monitoring be configured on devices in such scenario?
10-18-2022 06:24 PM
Hi @Tician ,
Thanks for your post. What are you hoping to achieve with an A/A v-wire deployment with the Palo's while your routers are in A/P?
V-wire will forward packets from one v-wire link to the other.
Recommended Discussions
10-21-2022 12:18 AM
Hi @JayGolf ,
with A/A vwire PA we try to not failover the whole device to the passive node if only one vwire fails (every vwire has a separate set of neighbor A/P routers). In that setup, we just want to neighbor routers carry about failover triggers, not on PA devices.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
