Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Force HA failover - how?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Force HA failover - how?

L4 Transporter

This is probably simple, but the documentation I can find is unclear, so I'm going to ask anyway. Better to ask and seem a fool than to act and remove all doubt!

I have a pair of PA's in HA configuration. Owing to an issue on the inside with internal switching, I need to be able to kick from the current "active" to the current "passive" to test something, and then back again.

So far, the only way I've found to do this is to reboot the "active" - not really palatable if something goes wrong, because they're only 2020's, and take 15 minutes to boot up to operational state.

Is there any way I can force the "passive" to go active without rebooting?

Thanks

1 accepted solution

Accepted Solutions

L7 Applicator

On your primary/active firewall, go to the GUI, Device / High Availability / Operational Commands / Suspend local device. 

View solution in original post

8 REPLIES 8

L7 Applicator

On your primary/active firewall, go to the GUI, Device / High Availability / Operational Commands / Suspend local device. 

Does that cause a failover, or just suspend the HA configuration? This is what I am a little concerned about - I don't want both devices going active.

Also, how do you re-enable it? Just do the same on the other device?

This will cause your primary device to suspend, which will cause your secondary device to come active.

Once you've suspended it, then the "suspend" link will change to "resume" (or something like that).

Cool, thanks!

L0 Member

Hello Darren,

Just an addition piece of information:

If you have configured "Link and Path monitoring" into the HA config, You can unplug one of the monitoring interface from Primary node and it will trigger a failover to another node. Smiley Happy

HA-monitoring.JPG.jpg

Thanks

L2 Linker

The CLI commands for forcing failover and then returning to HA mode are:

admin@pafw2(active)> request high-availability state suspend

Successfully changed HA state to suspended

admin@pafw2(suspended)> request high-availability state functional

admin@pafw2(passive)

FredReimer wrote:

Hello Darren,

Just an addition piece of information:

If you have configured "Link and Path monitoring" into the HA config, You can unplug one of the monitoring interface from Primary node and it will trigger a failover to another node.

HA-monitoring.JPG.jpg

Thanks

Not so easy when the firewall is in a data centre 15 minutes walk from where I sit in my office. 🙂

holmesw wrote:

The CLI commands for forcing failover and then returning to HA mode are:

admin@pafw2(active)> request high-availability state suspend

Successfully changed HA state to suspended

admin@pafw2(suspended)> request high-availability state functional

admin@pafw2(passive)

I knew about the suspend command, I just wasn't sure if it meant suspend the HA state, or suspend the HA (and make both firewalls active).

I know now it's the former - and I've tested it this week, so I know it works. Makes troubleshooting the network issues way easier when I can just put the primary back online with two clicks!

Cheers and thanks

  • 1 accepted solution
  • 81740 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!