Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
08-02-2017 10:46 PM
We have an Active/Active PA-5050's in production with HA3 running on a single ethernet (1GB).
I need to know if there will be any packet lost (HA packet forwarding) if I change this interface from HA type to AE type/AE group (e.g. ae8). Considering that this aggregated group (ae8) has been already created and have another ethernet (1GB) already as a member up and running.
I have lab tested, making these changes on active-primary;
Changing the active/active config from ethernet interface to the new ae8
And also changing the old single HA3 ethernet interface to be the second member of this new ae8
Then commit on active-primary.
Config synced to peer, with no obvious evidence of interfaces going down or any change in firewalls states. Also, I had to change the active/active config from ethernet interface to the new ae8 on active-secondary and commit after above done.
Each of these two ethernet interfaces directly conencted to their peers on the other firewall.
Does it make sense to assume, there will be no packet lost on HA3 link or outage for customer during this process.
08-03-2017 02:36 AM
I would not recommend doing this on a live environment outside a maintenance window
Since the HA cluster is Active/Active I assume you have plenty of asymmetrical sessions?
If you change the HA3 interface, this should not impact the firewall's ports or local processing, but this will temporarily interrupt the forwarding of packets over HA3 for remote processing.
In case of asymmetric routing, a lot of packetforwarding could be happening over the HA3 links which will negatively impact your active sessions.
08-03-2017 01:46 AM
I would suspect that there may be some traffic issues. Possibly for those sessions which are already established. I would suggest to give a try with some live traffic.
Firewall has to internally create a map of ports and ids to forward the traffic.
Also MAC address linked to HA3 ports will change.
It is possible that the existing packets or sessions might see some issue during the change.
You can assume this to be same as if you change a network port from a standalone to HA or AGG port.
If you run into issues with live traffic in your lab, I would suggest open a TAC case to investigate.
08-03-2017 02:36 AM
I would not recommend doing this on a live environment outside a maintenance window
Since the HA cluster is Active/Active I assume you have plenty of asymmetrical sessions?
If you change the HA3 interface, this should not impact the firewall's ports or local processing, but this will temporarily interrupt the forwarding of packets over HA3 for remote processing.
In case of asymmetric routing, a lot of packetforwarding could be happening over the HA3 links which will negatively impact your active sessions.
08-03-2017 05:25 PM
Indeed this will be done during an agreed change window with customer. I am planning to layout the steps in a way to minimize the outage or if possible eliminate it all together.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
