Change HA pair from Active/passive to Active Active

cancel
Showing results for 
Search instead for 
Did you mean: 

Change HA pair from Active/passive to Active Active

L3 Networker

Hi All,

 

I will be changing one pair of our firewalls from an active/passive pair to an active/active pair. Whilst confident of what is needed and the process I need to take, has anyone ever gone through this process? Was it problematic, time consuming, any gotchas I should know about?

 

Regards

 

Adrian

3 REPLIES 3

Cyber Elite
Cyber Elite

@a.jones,

The few times I've needed to do something like this it was highly controlled to avoid any splitbrain situations, as you'll need to temporarily break HA as you switch everything over. The best advice I could give you would be to configure everything on one of the devices while it's essentially fully disconnected from your network. You can leave the management interface and the HA interfaces plugged in so the pairs can still communicate, but unplug or shutdown every other connection to avoid any routing issues. 

 

L1 Bithead

We are potentially looking at having to do this as well. Our current PAN's are in active/passive. But due to some latency issues with a switch, we are considering trying active/active...

Do we have to disconnect and reconfigure the primary, or can we just reconfigure secondary?

I will open a PAN support case to verify against our setup.

CISSP, CCSP, CISA, CISM

Cyber Elite
Cyber Elite

@LeeSeeman,

In an Active/Passive setup whichever unit you offline in this process doesn't matter. It could be the primary or secondary unit; outside of device priority and having preempt enabled, Active/Passive primary/secondary doesn't really matter. When you're actually making the configuration changes you need to make in an active/active situation, that's when primary/secondary becomes drastically more important as you setup device-binding. If you're just introducing active/active, you would likely want to make the "active" firewall you leave up the primary so that all of the active-active-device-binding conversions to primary are active on the firewall that you're leaving online. 

I'm kind of curious why you think active/active is going to help you with a latency issue though; seems like you may be going down the wrong path there. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!