This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Active/Active HA tentative state question

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active/Active HA tentative state question

PerryK
L2 Linker

‎05-14-2018 08:08 AM

Let's say we have 2 firewalls in A/A HA

each firewall has 2 vWire (single interfaces, no aggregration)

eth1/eth2 = vWire 1 and eth3/eth4=vWire2

link monitoring is set such that if any of eth1/eth2 interfaces are down or any of eth3/eth4 are down the firewall will go into tentative state.

Say I unplug eth1/eth2 on FW1. FW1 goes into tentative state. Now, no traffic should flow on vWire2 (eth3/eth4) of FW1. 

Can ayone confirm this? 

0 Likes Likes
3 REPLIES 3

reaper
Cyber Elite
Cyber Elite

‎05-14-2018 11:55 PM

Hi @PerryK

in an AP cluster a link monitor failure is a global failure causing the membert to go into a non-functional state and stop passing traffic altogether, passing over all responsabilities to the secondary peer

 

in an AA cluster, however, the member will continue accepting packets, if at all possible, but will pass everything over to it's peer for processiong via the HA3 link

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/ha-firewall-states

 

so, if you unplug eth1, eth2 will go down (link state passthrough property of vwire), eth1/eth2 vwire functionality passes over to member2 completely as this will be the only member with an active set left.

eth3/eth4 vwire, however, will remain active and will accept packets on member1, but all packets are forwarded through the HA3 interface to member2, processed and sent back to member1 and then egressed out on the other end of the vwire

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

PerryK
L2 Linker
In response to reaper

‎05-15-2018 05:44 AM

OK, since the packet is processed by the active peer, where should the packet be seen in the traffic log. On the active one or the tentative one? 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to PerryK

‎05-15-2018 05:53 AM

probably both 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes
  • 3628 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks