This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Failover Link Monitoring too long

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Failover Link Monitoring too long

David7660
L1 Bithead

‎11-14-2018 07:20 AM - edited ‎11-14-2018 08:33 AM

Hello guys,

 

I have 2 plao alto configured with HA Active/passive mode.

 

On both firewall, I configured link monitoring on link group with ethernet 1/11 and ethernet1/13 that are aggregated on Ae1 with condition "ALL". Those interfaces are plugged to a switch with LACP configuration and this switch is plugged to the Intrernet Router. The objective is to monitor my internet access and trigger a failover (Make my seond (PAssive) firewall in active mode.

 

When I reboot the switch on which my palo alto is plugged to test the failover, I lost around 30pings.

 

Moreover, in system logs, I see HA Group 1: Moved from state Passive to state Non-Functional. What does that mean ? There is no failover process ? Active to passive and passive to active

 

Maybe I don't understand very well how it works but I would like that my failover be quicker.

 

Is that possible ?

 

Regards,

 

 

0 Likes Likes
3 REPLIES 3

OtakarKlier
Cyber Elite
Cyber Elite

‎11-15-2018 09:35 AM

Hello,

On you PAN did both the interfaces you have on the ae go down when the switch rebooted? You condition is set to ALL to both would need to go down in order for the failover to occur.

 

Please advise,

0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎11-16-2018 02:53 PM

@David7660,

So the AE still needs to form on the passive device to get things functional again. Depneding on your platform you can actually setup pre-negotiation on the LACP links to make things a bit faster. 

On the AE interface select the LACP tab and select the 'Enable in HA Passive State' and commit the configuration. This will allow LACP communication on the passive device so failover is drastrically faster. Just make sure that you don't also have 'Same System MAC Address for Active-Passive HA' option enabled, as this wouldn't work with pre-negotiation. 

0 Likes Likes

David7660
L1 Bithead

‎11-20-2018 01:33 AM

Thanks to you, every options you mentionned are correctly defined on my palo alto.

 

Finaly, we think that's a routing problem with our ISP.

 

To be confirmed with him.

 

Thanks 🙂

0 Likes Likes
  • 3012 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks