Change HA from A/A to A/P - techniques and known issues?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Change HA from A/A to A/P - techniques and known issues?

L1 Bithead

I have two PA-500's in Active/Active.

We do not need to have them in A/A (in hindsight, it was a mistake) because we do not use asynchronous routing or meet the other typical A/A criteria. I think we are paying for that mistake, as you'll read below.

When running software 6.0.5 I implemented a site-to-site VPN through which I ran a client-server application over a specific port. After 10-30 minutes the port would close, cutting off the application link. I opened a case with PA, got logs from the firewalls and wireshark captures from the client. While PA was researching the issue, I asked PA if perhaps upgrading to 6.1.2 would fix the problem. They agreed we could try (no guarantees, of course).

We upgraded, and found that when running 6.1.2 in Active/Active, the Active-Secondary could not refresh ARP. The secondary would hold it's ARP table for the timeout period (1800 seconds - 30 minutes), then fail - which caused our Internet connection to be unstable (pinging a device on the Internet would result in 8 packets successful, then 8 dropped, then 12 successful, then 12 dropped, and so on). We now have a separate ticket with PA on this issue.

As an experimental effort to solve the ARP problem, we suspended the Active-Secondary device, and since then - running only 1 firewall - our Internet connection is perfectly stable AND the VPN functions flawlessly. The application runs over the VPN without any drops/disconnections. I did share this discovery with PA.

So...I'm now wondering if simply changing from Active-Active to Active-Passive (staying with 6.1.2) might solve both the VPN and ARP issue. I recall reading about an ARP issue with an earlier 6.x version of software, but I think that got fixed.

What do you think about us switching from A/A to A/P? Any problems with changing from A/A to A/P?

If we switch, is it a matter of changing the setup from active-active mode active-passive by changing the Active-Primary to Active-Passive (device ID 0) and the Active-Secondary to Active Passive (device ID 1)? We already have control links and election settings established, and I'm wondering if those will stay the same - or if I have to reconfigure everything as though I were adding a new firewall.

Thanks in advance!

5 REPLIES 5

L4 Transporter

Mikebowler,

This will not directly answer your question, but will provide some details on active/active vs. active/passive.

HA Active Active vs Active Passive.pptx

Thanks!

Please do not forget to mark and 'Helpful' or 'Correct' replies.

L7 Applicator

I would always go with Active/Passive unless you have one of the specific use cases for Active/Active.

the main configuration change will be the removal of HA3 as a link.

Since you are already running single device the cut should be relatively painless.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

L1 Bithead

Thank you both!

L1 Bithead

Update:

We did the upgrade - from A/A to A/P - a few weeks back and all is well.

Both the VPN and ARP issues have disappeared, and the connection world is at peace (well, it is here anyway...).

I suspect A/A brings some complications to the table that PA is not completely able to manage, but our A/P configuration is solid and we are, once again, happy campers.

Glad things went well for you.

Yes, Active/Active does bring complications and design considerations.  I manage four A/A clusters in the data center.  But there are situations where it is required.  The trick is not to over complicate the situation unnecessarily.

Just to close the loop here is the Active/Active technote reviewing the issues to watch in the A/A deploy.

Configuring Active/Active HA PAN-OS 4.0

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 3809 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!