Failover to passive no traffic passes

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Failover to passive no traffic passes

L0 Member

Hi all - have been working on upgrading all our firewalls from 9.1.13 to 9.1.14 and ran into an issue last night with one of our Active/Passive 7050 pairs. When I failed over to the passive FW our users lost internet connectivity, once the active FW finished rebooting and I failed back over to it internet was restored. Configs between the 2 devices are sync'd and cabling all looks the same and is fine, each FW has 4 links divided by 2 core switches. Core switch config looks identical. Only major difference I could find between this pair and the other pairs that work is we have link groups configured on the non working pair. Have a call with TAC on Monday to troubleshoot but figured I would check here for ideas. Thanks!

1 REPLY 1

Cyber Elite
Cyber Elite

@alan.lemay,

I'd recommend reviewing the system logs and seeing if the system actually realized that it couldn't pass traffic or not. If you don't have path monitoring enabled it's quite possible that the 7050 didn't even realize that it couldn't pass traffic; while this wouldn't have helped you in this outage, it would have at least been recorded in the system logs to help narrow down the issue.

Baring something present in the system logs, I'd really focus on making sure that the passive unit links are actually functional. Just because the configuration says things should be good doesn't mean you can't have a layer 1 issue with the cabling. It's quite possible your passive unit simply can't communicate properly to your core switches due to bad connections due to light levels if using a fiber connection or due to configuration.

 

Just as an FYI, I always recommend clients due a failover test at least once a month to verify that their passive unit is functional. If it isn't, you can quickly pass traffic back without getting stuck waiting for the box to reload or worse actually having a hardware issue. If you test things in a controlled environment you can limit any possible downtime.

  • 2434 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!