Confused about HA Path Monitoring recovery (Preemptive loop)

Reply
Highlighted
L1 Bithead

Confused about HA Path Monitoring recovery (Preemptive loop)

Hello,

So this is a document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhJCAS

Which states:

  • When a link or path monitoring (or both) failure condition is detected by the HA daemon on the Active device, it moves in non-functional state.
  • When the monitoring state is restored, the non-functional nodes moves into passive state.

Ignore Link monitoring since it is not relevant for VM series.

Question: how does "monitoring state get restored" when the non-functional node cannot send ICMP, sourced from inactive interface for Path Monitoring? What am I missing? How can it ever detect that path is restored and switch from non-functional to Passive?

 

We have a preemptive loop happening. Path monitoring fails for Active device, which becomes non-functional, then after 1 minute goes to Passive and becomes active again (cause Preemptive). But the Path is dead, so it loops again.

 

Thanks.


Accepted Solutions
Highlighted
Cyber Elite

Re: Confused about HA Path Monitoring recovery (Preemptive loop)

@rmikalauskas,

That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario. 

 

If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.   

View solution in original post


All Replies
Highlighted
Cyber Elite

Re: Confused about HA Path Monitoring recovery (Preemptive loop)

@rmikalauskas,

That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario. 

 

If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.   

View solution in original post

Highlighted
L1 Bithead

Re: Confused about HA Path Monitoring recovery (Preemptive loop)

Hello,

Thank you.

I believe Link Monitoring is not supported for ESXi only (which we are using) and not VM Series generally. So in this particular case we are going to disable Preemption.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!