- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
09-10-2024 07:21 AM
Hello to all
I have a pair of FW PA-460 active-passive. When we perform Failover I lose 40 seconds the network to the internet. i have only HA1 connected on a pair of SW aruba. I suspect it may be an Aruba or Paloalto configuration issue. Any idea?
Best regards.
09-10-2024 11:24 AM
Hello,
I think these articles may be useful.
Layer 3 High Availability with Optimal Failover Times Best Practices
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHnCAK
Resource List: High Availability Configuring and Troubleshooting
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClIbCAK
Regards,
09-10-2024 08:36 PM
Hello @Alpalo
have you enabled Passive Link State to Auto?
Here are references:
What is the corresponding link state when the passive link state is set to auto?
Setting the link state to Auto allows for reducing the amount of time it takes for the passive firewall to take over when a failover occurs.
Kind Regards
Pavel
09-11-2024 01:42 AM
Hi @PavelK
Hi @PavelK
Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it.
HA1 is connected to the aruba pair switch with LACP . any other idea?
Thank you very much
09-19-2024 08:01 AM
Any idea?
Thanks so much
09-19-2024 08:27 AM
Hello,
You have your HA connections between the two Palo Alto's via a switch?
Regards,
09-19-2024 11:56 AM
@Alpalo wrote:
Hi @PavelK
Hi @PavelK
Yes, I have enabled auto mode, but the problem persists, we only have HA1 enabled, I don't know if the problem is related to it.
HA1 is connected to the aruba pair switch with LACP . any other idea?
Thank you very much
Twice now I only see mention of HA1 being used/turned on. Do you not have a config for HA2? Is there no HA2 connectivity (of some sort) between FW1/2?
HA1 links carry management sync/config sync. HA2 links carry TCP session sync. If you do not have HA2 connections between your active/passive firewalls the TCP state of existing sessions will NOT be known to your passive firewall and when a failover occurs all that session data will be lost and will need to be restarted for ALL traffic. If this is how things are then I could potentially see a 40 second delay in your HA failovers.
I'm not sure what your routing situation is but relevant IP/routing information/state wouldn't be known your to your passive firewall and would have to be learned. Then once the network state is known to the firewall then all client TCP sessions could get re-established.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!