Do Management Port, Console Port use MP?

Reply
Highlighted
L3 Networker

Do Management Port, Console Port use MP?

Hello~

PA Devices'plane divide MP, DP

MGT, Console Port, Dedicate HA1, and usb port connect to MP

and than the others port connect to DP

If RJ45 or SFP can be given mgt function or HA1 backup port

Doesn't that use dp resource?

If MP is worried Can HA1 Port keep communication between each device?

Highlighted
L4 Transporter

You can assign management profiles to ports on the data plane side, but I assure you, the management plane is separate. Your data plane could be completely at 100% CPU and your management plan at 0% for example

What do you mean by "if MP is worried"?

Highlighted
L4 Transporter

"If RJ45 or SFP can be given mgt function or HA1 backup port

Doesn't that use dp resource?"

The HA1 is used to sync the configuration the primary HA1 could be a dedicated port on platform 3000 and above

the dedicated port HA1 is link to the control plane (management plane)

you could use a backup HA1 that coulb be the management port link to the control plane too.

HA1 could be use with dataplane port for the PA 200, 500, 2000 plateform

Highlighted
L3 Networker

HA1 backup Port connect to data plane regardelss mgt port

Which mean is control plane restart

Highlighted
L3 Networker

Thanks for your response;

I confirmed that HA1 Backup Port connect to Dataplane

As you know HA1 Link is communicate each other same devices by ping protocol

200, 500, 2000 and above Devices's HA1 backup port

suddenly If MP is restarted about what problem

Doesn't keep ping communication normally?

anyway, even though MP has problem, regardless mgt port, HA1 Backup Port will probably operate normally on behalf of HA1 Port

because, HA1 backup port associate Data Plane, Is it right? I feel suspicious

I guess, It's likely to occur problem, If HA backup port relate MP porcess

I don't know about that why I feel curious

Highlighted
L4 Transporter

HA1 backup port associate Data Plane, Is it right? false wihile you you have a dedicated interface HA1 and as a best practice you have to use the management port as backup

https://live.paloaltonetworks.com/docs/DOC-5086

Page 13

High Availability Link Failure

Palo Alto Networks firewalls use HA Links to synchronize information and to send session and session state information between HA pair members. Depending on the firewall model, dedicated HA interfaces may or may not be available. If

dedicated HA interfaces are available, best practice is to use these ports for the primary HA links and to configure HA Backup links to help prevent configuration mismatches, synchronization loss, and split brain conditions.

HA1 Link Failure

If the HA1 Link fails and there is no HA1 Backup configured, configuration synchronization will fail and a split brain condition will be created. Split brain conditions occur when HA members can no longer communicate with each other to exchange HA monitoring information. Each HA member will assume the other member is in a non-functional state and take over as the Active (A/P) or Active-Primary (A/A). Split brain conditions can be prevented by configuring an HA1 Backup link and/or enabling Heartbeat Backup.

Two types of messages are sent between peers when HA is enabled.  The Control Link (HA1) communicates over a TCP connection.  The first is the 'Hello' message.  The second is the 'Heartbeat' message.

more information about  Heart beat here

https://live.paloaltonetworks.com/docs/DOC-2195

Hello Message

The 'Hello' message is sent from each peer to the other once every configured 'Hello Interval'.  It determines if the HA Agent is running.  No response is sent by the recipient.  This message is also sent if there is a HA state change or other informational changes are needed.  This message communicates:

  • HA state of the device
  • Device Priority
  • HA2 (Data Link) cookie
  • If the 'ha_lib' connection is seen locally ('sysd' peer connection)

It will also send this information when it has changed:

  • If 'Config Sync' is enabled
  • Config MD5SUM (to know if we are in config sync)
  • When a commit fail has occurred
  • Time sync if you push the time from the local to the peer

Hearbeat Message

The 'Heartbeat' message is an ICMP Ping that is sent to its peer every configured 'Heartbeat Interval'.  It verifies network connectivity with the HA peer.

And for the last  question if the management plane (control plane) failed or restart, normaly in A/P the apliance which failed couldn't be elected active for me. that ovoid the split brain.

I hope that help you !

Highlighted
L4 Transporter

If the on 1 appliance you stop the management plane the other appliance don't see the stoped appliance and stay actif or migrate to the activ state 

Highlighted
L4 Transporter

I believe there's a dead timer timeout for HA, where if one of the peers isn't seen for a period of time the inactive peer will take over. Also if you were going to restart the management plane or something drastic like that, you should deliberately suspend the active peer and make sure the secondary takes over, then do whatever maintenance is needed on the suspended firewall, then un-suspend it.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!