Confused about HA Path Monitoring recovery (Preemptive loop)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Confused about HA Path Monitoring recovery (Preemptive loop)

L2 Linker

Hello,

So this is a document: https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhJCAS

Which states:

  • When a link or path monitoring (or both) failure condition is detected by the HA daemon on the Active device, it moves in non-functional state.
  • When the monitoring state is restored, the non-functional nodes moves into passive state.

Ignore Link monitoring since it is not relevant for VM series.

Question: how does "monitoring state get restored" when the non-functional node cannot send ICMP, sourced from inactive interface for Path Monitoring? What am I missing? How can it ever detect that path is restored and switch from non-functional to Passive?

 

We have a preemptive loop happening. Path monitoring fails for Active device, which becomes non-functional, then after 1 minute goes to Passive and becomes active again (cause Preemptive). But the Path is dead, so it loops again.

 

Thanks.

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@RMikalauskas,

That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario. 

 

If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.   

View solution in original post

6 REPLIES 6

Cyber Elite
Cyber Elite

@RMikalauskas,

That's expected behavior when you aren't utilizing Link Monitoring (I'm assuming you aren't due to using ESXi). You are correct in your assumption that without the firewall being Active it can't actually verify the path is reachable in an Active/Passive setup. Once the firewall fails due to a Path Monitoring failure it will wait the error to clear and become passive. It's clearing because it's unable to verify the Path status. Since you have preemption enabled you'll run into the preemption loop detection because it's intended to trigger in exactly this scenario. 

 

If you are running the VM-Series on ESXi I would really recommend looking into Active/Active with floating IPs instead of an Active/Passive setup explicitly for this reason. If you want to keep Active/Passive then I'd personally advise that you disable preemption completely.   

Hello,

Thank you.

I believe Link Monitoring is not supported for ESXi only (which we are using) and not VM Series generally. So in this particular case we are going to disable Preemption.

L1 Bithead

Hi,

I understand this is an old thread, but I'm encountering a similar scenario with a PA-3000 series firewall where the passive link state is configured as "Auto."

In my situation, I would like to confirm whether, even with "Auto" configured, the Path Monitoring failure condition gets cleared when a failover occurs.

Additionally, I'm confused about preemption. If preemption is enabled, does the device with a higher priority always become active, irrespective of the link/path monitoring status?

Any insights into this would be greatly appreciated.

Cyber Elite
Cyber Elite

If preemtion is enabled on both firewalls then firewall with lower priority will become active.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Even when the Path Monitoring target of the lower priority device is down?
This is what I've observed, but I haven't found any documentation clarifying this point.
Any insights or suggestions are appreciated. Thanks!

Cyber Elite
Cyber Elite

If path monitoring fails on active firewall then secondary firewall will take active role over and keep active role until path monitoring recovers on primary firewall.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 5054 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!