- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-23-2018 04:56 AM - edited 10-23-2018 04:57 AM
Folks,
Our Active-Passive pair takes too long to show the status(i.e. active or passive) when one of the firewall is rebooted.
i.e. as of now things are running fine, but if I reboot the passive firewall it will take a very long time to once again come up as passive. It goes through the "not ready" and "initial" stages before getting in the "passive" stage.
These are PA-3260 boxes and I have used the ha1-a as the control link and the ha1-b port as the backup for control link. Only the control link has been used for this HA configuration.
Please let me know if there are any suggestions on this and how could I work on overcoming the long time duration?
Thanks!!!
10-25-2018 07:46 AM - edited 10-25-2018 07:49 AM
Did you disable the checkbox for session synchronization? Maybe worth a try...
10-24-2018 05:49 AM
Hi
I would try using management as backup for HA1 instead of ha1-b. I know there is an issue with HA1-backup port that in my case shows as down when using ha1-b and up when using management. Maybe the issue is deeper and affects other HA-processes.
Also I would check the Management-Plane logs (ssh into the machine and use: 'less mp-log [tab-key]') for the time after the restart (ha-agent.log as a start).
Hope this helps.
10-24-2018 10:00 AM
@nson2139 wrote:It goes through the "not ready" and "initial" stages before getting in the "passive" stage.
This is normal after reboot of a device in HA-configuration.
@nson2139 wrote:but if I reboot the passive firewall it will take a very long time to once again come up as passive.
What do you mean with very long exactly?
@nson2139 wrote:Only the control link has been used for this HA configuration.
Why don't you use the data link also? I think by default the firewall tries to sync the session table over HA2 link, but as ther is none of them in your configuration this could be a reason why it could take (a little) longer than normal. Do you have disabled session sync (even if I don't know the exact behaviour of this option without a HA2 link)
 
10-25-2018 01:46 AM
by very long I mean more than 4 hours.... I am not sure if that is normal.
to configure the data link I do not have the hardware and this is not a requirement at this moment.
10-25-2018 02:29 AM
4 hours is way to long. Does this only happen on 1 of the FW nodes or if you switch the active FW will the other node also take 4 hours?
10-25-2018 06:48 AM
upgrading to 8.1.4 reduced the state changing time but it still takes around 1 hr.
10-25-2018 06:48 AM
upgrading to 8.1.4 reduced the state changing time but it still takes around 1 hr.
10-25-2018 07:46 AM - edited 10-25-2018 07:49 AM
Did you disable the checkbox for session synchronization? Maybe worth a try...
10-25-2018 08:32 AM
It gave me a warning saying "High-availability with ha2 configured should also be configured with state synchronization enabled(Module: ha_agent)" but immediately came up in the passive state." 🙂
This looks good, should the warning cause any challenges?
10-25-2018 10:59 AM
I would say it isn't recommended to have a HA setup without HA2 link. But because you don't want to have an HA2 link anyway (and you never had) this warning does not matter. (Without HA2 link the firewall isn't able to sync sessions anyway)
05-12-2025 12:20 AM
Thank you, My Problem solved
 
					
				
				
			
		
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!

