08-04-2023 02:14 AM
Hello Live Community , good evening, how are you, I hope you are very well.
I have a question that I would like you to confirm and comment on please. Thank you for your collaboration and for your good vibes.
In a VWire Active-Passive HA environment, where this topology exists.
Firewall-01 on VWire Active ----- Firewall-02 on VWire Passive
Interfaces 1/1 and 1/2 Vwire-01
Firewall-01 Priority 50
Firewall-02 Priority 100
Preemtive enabled on both computers.
Preemtive Hold time: 1 Minute ( Default value ).
Passive Link State: Shutdown
Vwire: Link-State-Pass-Through enable ( Default ).
Link monitor on both firewalls:
Firewall-01: Ethernet 1/1 and 1/2 - ANY Interface
Firewall-02: Ethernet 1/1 and 1/2 - ANY Interface
Failure Scenario:
In the event of a failure in the Firewall-01 Ethernet 1/1 and 1/2 interface. Firewall-02 will assume the role of Active.
If Firewall-01 recovers from its failure in its Ethernet interfaces 1/1 and 1/2, Firewall-02 of the secondary block (with the Role of Active) will wait 1 minute (Preemtive Hold Time 1 minute) to redeliver the Active Role to Firewall-01 to the main block.
Or for this to work, should the secondary be in Passive Link Auto so that it is negotiating and not in Passive Link Shutdown? This is because I have a doubt, since how is it going to detect the Palo Alto that recovered from its failure condition, from the link monitor, if it has its interfaces down, they should be on auto, right?
In HA VWire environment I'm not entirely familiar versus L3 environments.
Com VWire according to what I comment, especially in the scenario of failure and recovery of the Principal, is this expected behavior correct? or with VWire is it different? should assume or validate other additional details, regarding HA issues, such as Timers, settings, options, etc.
Thank you in advance for your time, for your good vibes, for your collaboration, advice and comments.
Greetings
08-04-2023 10:29 AM - edited 08-04-2023 10:54 AM
Scenario 1:
With passive link state set to shutdown, I would expect the firewalls to hit their flap limit. That scenario would result in failover to firewall 2, back to firewall 1 (due to preempt with higher priority value), then back to firewall 2. Assuming a flap limit of 3, firewall 1 would remain in a suspended state due to 'non-functional loop detected' until admin intervention, while firewall 2 continued to support traffic.
Scenario 2:
As you suggested, setting passive link state to auto would result in a cleaner failover. Firewall 1 would fail to firewall 2 and stay there. Firewall 1 would stay suspended due to monitored link down. Once the link is back up, firewall 1 would renegotiate HA, and should become the active unit since it's configured to preempt with a higher priority value.
Scenario 3:
If a monitored link on each firewall failed (e.g. e1/1 on both firewalls), one of them would become suspended due to non-func loop, regardless of passive link state being shutdown or auto. Recovery would require admin intervention, same as the first scenario.
If there's something I overlooked or didn't take into account, feel free to correct me.
08-04-2023 12:50 PM - edited 08-04-2023 12:50 PM
OK, thank you @mplewis very much for your comments and cooperation.
Regarding point 1, to scenario 1 that you mention, with the passive interfaces Link state shutdown. That means that the secondary firewall or with the passive role, has its interfaces turned off. In this scenario, if the link monitor is on both interfaces 1/1 and 1/2, and any of the interfaces of Firewall-01, active, of the Main block fail, it will assign the role to the Secondary as Active. But if we understand that the passive keeps its interfaces down, when it recovers from its failure condition, the Principal is Firewall-01, which has the role of passive, for example, the ethernet 1/1 interface recovers, if the Principal is in state passive, how will it detect if I lift its interface change, to recover its control after one minute, for the value of preemtive 1 minute, if its interfaces are shutdown those of the passive? What is associated with the recovery of the interfaces and that detection of the recovery of the interfaces condition, of the Main equipment in passive state, recovers from its interface problems, and after 1 minute assumes the role again, it would only be with Passive Link in "Auto" I understand right? With Passive Link Shutdown there is no way, right? This in VWire, L2 and L3 environments, the most common, right?
Thank you for your time, your comments and your great collaboration.
Greetings
08-04-2023 04:25 PM
Hello, sorry if I refer and tag you, I hope I'm not bothering you. @TomYoung @reaper @Raido_Rattameister @BPry @PavelK @aleksandar.astardzhiev
Please see my post and give me your comments, advice, clarifications, details, etc. regarding what I say about HA with Vwire ?
Thank you very much for your comments, for your time, for your collaboration.
I remain attentive
Best regards.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
