09-30-2019 06:08 AM
Hello,
So this is a document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhJCAS
Which states:
Ignore Link monitoring since it is not relevant for VM series.
Question: how does "monitoring state get restored" when the non-functional node cannot send ICMP, sourced from inactive interface for Path Monitoring? What am I missing? How can it ever detect that path is restored and switch from non-functional to Passive?
We have a preemptive loop happening. Path monitoring fails for Active device, which becomes non-functional, then after 1 minute goes to Passive and becomes active again (cause Preemptive). But the Path is dead, so it loops again.
Thanks.
09-30-2019 02:43 PM
That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario.
If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.
09-30-2019 02:43 PM
That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario.
If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.
09-30-2019 09:47 PM
Hello,
Thank you.
I believe Link Monitoring is not supported for ESXi only (which we are using) and not VM Series generally. So in this particular case we are going to disable Preemption.
01-15-2024 02:48 AM
Hi,
I understand this is an old thread, but I'm encountering a similar scenario with a PA-3000 series firewall where the passive link state is configured as "Auto."
In my situation, I would like to confirm whether, even with "Auto" configured, the Path Monitoring failure condition gets cleared when a failover occurs.
Additionally, I'm confused about preemption. If preemption is enabled, does the device with a higher priority always become active, irrespective of the link/path monitoring status?
Any insights into this would be greatly appreciated.
01-15-2024 05:17 AM
If preemtion is enabled on both firewalls then firewall with lower priority will become active.
01-15-2024 06:38 AM
Even when the Path Monitoring target of the lower priority device is down?
This is what I've observed, but I haven't found any documentation clarifying this point.
Any insights or suggestions are appreciated. Thanks!
01-15-2024 06:48 AM
If path monitoring fails on active firewall then secondary firewall will take active role over and keep active role until path monitoring recovers on primary firewall.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
