Our Active-Passive pair takes too long to show the status(i.e. active or passive) when one of the firewall is rebooted.
i.e. as of now things are running fine, but if I reboot the passive firewall it will take a very long time to once again come up as passive. It goes through the "not ready" and "initial" stages before getting in the "passive" stage.
These are PA-3260 boxes and I have used the ha1-a as the control link and the ha1-b port as the backup for control link. Only the control link has been used for this HA configuration.
Please let me know if there are any suggestions on this and how could I work on overcoming the long time duration?
Solved! Go to Solution.
I would try using management as backup for HA1 instead of ha1-b. I know there is an issue with HA1-backup port that in my case shows as down when using ha1-b and up when using management. Maybe the issue is deeper and affects other HA-processes.
Also I would check the Management-Plane logs (ssh into the machine and use: 'less mp-log [tab-key]') for the time after the restart (ha-agent.log as a start).
Hope this helps.
It goes through the "not ready" and "initial" stages before getting in the "passive" stage.
This is normal after reboot of a device in HA-configuration.
but if I reboot the passive firewall it will take a very long time to once again come up as passive.
What do you mean with very long exactly?
Only the control link has been used for this HA configuration.
Why don't you use the data link also? I think by default the firewall tries to sync the session table over HA2 link, but as ther is none of them in your configuration this could be a reason why it could take (a little) longer than normal. Do you have disabled session sync (even if I don't know the exact behaviour of this option without a HA2 link)
It gave me a warning saying "High-availability with ha2 configured should also be configured with state synchronization enabled(Module: ha_agent)" but immediately came up in the passive state." :-)
This looks good, should the warning cause any challenges?
I would say it isn't recommended to have a HA setup without HA2 link. But because you don't want to have an HA2 link anyway (and you never had) this warning does not matter. (Without HA2 link the firewall isn't able to sync sessions anyway)
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!