Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Active-Passive pair takes long to show the status when one is rebooted.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Active-Passive pair takes long to show the status when one is rebooted.

L3 Networker

Folks,

Our Active-Passive pair takes too long to show the status(i.e. active or passive) when one of the firewall is rebooted.

 

i.e. as of now things are running fine, but if I reboot the passive firewall it will take a very long time to once again come up as passive. It goes through the "not ready" and "initial" stages before getting in the "passive" stage.

 

These are PA-3260 boxes and I have used the ha1-a as the control link and the ha1-b port as the backup for control link. Only the control link has been used for this HA configuration.

 

Please let me know if there are any suggestions on this and how could I work on overcoming the long time duration?

 

 Thanks!!!

1 accepted solution

Accepted Solutions

Did you disable the checkbox for session synchronization? Maybe worth a try...

View solution in original post

9 REPLIES 9

L4 Transporter

Hi

 

I would try using management as backup for HA1 instead of ha1-b. I know there is an issue with HA1-backup port that in my case shows as down when using ha1-b and up when using management. Maybe the issue is deeper and affects other HA-processes.

 

Also I would check the Management-Plane logs (ssh into the machine and use: 'less mp-log [tab-key]') for the time after the restart (ha-agent.log as a start).

 

Hope this helps.

L7 Applicator

@nson2139 wrote:

It goes through the "not ready" and "initial" stages before getting in the "passive" stage.


This is normal after reboot of a device in HA-configuration.

 


@nson2139 wrote:

but if I reboot the passive firewall it will take a very long time to once again come up as passive.


What do you mean with very long exactly?

 


@nson2139 wrote:

Only the control link has been used for this HA configuration.


Why don't you use the data link also? I think by default the firewall tries to sync the session table over HA2 link, but as ther is none of them in your configuration this could be a reason why it could take (a little) longer than normal. Do you have disabled session sync (even if I don't know the exact behaviour of this option without a HA2 link)



 

by very long I mean more than 4 hours.... I am not sure if that is normal.

 

to configure the data link I do not have the hardware and this is not a requirement at this moment.

4 hours is way to long. Does this only happen on 1 of the FW nodes or if you switch the active FW will the other node also take 4 hours?

upgrading to 8.1.4 reduced the state changing time but it still takes around 1 hr.

upgrading to 8.1.4 reduced the state changing time but it still takes around 1 hr.

Did you disable the checkbox for session synchronization? Maybe worth a try...

It gave me a warning saying "High-availability with ha2 configured should also be configured with state synchronization enabled(Module: ha_agent)" but immediately came up in the passive state." 🙂

 

This looks good, should the warning cause any challenges? 

I would say it isn't recommended to have a HA setup without HA2 link. But because you don't want to have an HA2 link anyway (and you never had) this warning does not matter. (Without HA2 link the firewall isn't able to sync sessions anyway)

  • 1 accepted solution
  • 10006 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!