Failover Link Monitoring too long

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Failover Link Monitoring too long

L1 Bithead

Hello guys,

 

I have 2 plao alto configured with HA Active/passive mode.

 

On both firewall, I configured link monitoring on link group with ethernet 1/11 and ethernet1/13 that are aggregated on Ae1 with condition "ALL". Those interfaces are plugged to a switch with LACP configuration and this switch is plugged to the Intrernet Router. The objective is to monitor my internet access and trigger a failover (Make my seond (PAssive) firewall in active mode.

 

When I reboot the switch on which my palo alto is plugged to test the failover, I lost around 30pings.

 

Moreover, in system logs, I see HA Group 1: Moved from state Passive to state Non-Functional. What does that mean ? There is no failover process ? Active to passive and passive to active

 

Maybe I don't understand very well how it works but I would like that my failover be quicker.

 

Is that possible ?

 

Regards,

 

 

3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

On you PAN did both the interfaces you have on the ae go down when the switch rebooted? You condition is set to ALL to both would need to go down in order for the failover to occur.

 

Please advise,

Cyber Elite
Cyber Elite

@David7660,

So the AE still needs to form on the passive device to get things functional again. Depneding on your platform you can actually setup pre-negotiation on the LACP links to make things a bit faster. 

On the AE interface select the LACP tab and select the 'Enable in HA Passive State' and commit the configuration. This will allow LACP communication on the passive device so failover is drastrically faster. Just make sure that you don't also have 'Same System MAC Address for Active-Passive HA' option enabled, as this wouldn't work with pre-negotiation. 

L1 Bithead

Thanks to you, every options you mentionned are correctly defined on my palo alto.

 

Finaly, we think that's a routing problem with our ISP.

 

To be confirmed with him.

 

Thanks 🙂

  • 2638 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!