This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA Active/Active design

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Active/Active design

Go to solution
bdaussin
L0 Member

‎01-03-2012 07:35 AM

Hi all,

We would like to deploy 2 PAs on two different sites in an Active/active design. The two sites are 10ms far away from each other.

So the first question is : Is 10ms (RTT) acceptable from a PanOS perspective to enable the HA feature ?

The IP plan is not the same on each site. Is it an issue to setup HA active/active in this case ?  I've read the documentation, and it seems to be supported if we use the virtual wire implementation case.

Best wishes for this new year.

Thanks for your help.

Regards,

EDIT : I've just found a Tech Note describing the HA/HA.

Regarding the second question, this documentation gives the answer : we can use the Route Based Redundancy, that's fine.

But now, I worry about the load sharing feature. In our case, half of our users are located on site 1 and second half on site 2, So the

load sharind is native by design using some IP routing features.

Regarding, the session owner, it's easy, we can define it as being the device receiving the first packet.

But regarding the session setup, it's not clear : how to ensure that the session setup is the device closest to the user ?

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
ncampagna
Palo Alto Networks Guru
In response to bdaussin

‎01-04-2012 08:19 AM

Hi Benjamin,

Hello,

Thanks you for your answer Nick

With a symmetrical routing design, If I anderstand well, only the session setup ( first few packets ) will be sent through the HA3 link, so

it should not be so dramatic. Once the session has been established, the PA which owns the session, will be able to analyse and forward

the packet without always sending packets to HA3 link. Am I right ?

[NC] You've got it! 

In my original question, what about the 10ms RTT between our 2 PAs ?

[NC] You'll have to look at your specific applications and their tolerance for latency.  Since this 10ms RTT will typically only affect the session for the first few packets, I don't anticipate any issues. 

Thanks for your help

- Benjamin

Thanks,

Nick

View solution in original post

0 Likes Likes
3 REPLIES 3

Go to solution
ncampagna
Palo Alto Networks Guru

‎01-03-2012 10:28 AM

Hello,

We developed A/A HA in order to address high availability in environments with asymmetric routing. In these cases, we expect race conditions with packets arriving at both devices. The session setup operation must be tied to a specific device (chosen by the IP modulo or the hash of certain IP header fields) in order to avoid the scenario where both devices try to create a session. For these reasons, we don't currently support a configuration where the device closest to the users will setup the session. Fortunately, the session setup operation is relatively light. Assuming you select the "first-packet" option for session ownership, your A/A design will be as efficient as possible in a symmetrically routed environment.

Thank you,

Nick Campagna

Product Management

Go to solution
bdaussin
L0 Member
In response to ncampagna

‎01-03-2012 07:43 PM

Hello,

Thanks you for your answer Nick Smiley Happy

With a symmetrical routing design, If I anderstand well, only the session setup ( first few packets ) will be sent through the HA3 link, so

it should not be so dramatic. Once the session has been established, the PA which owns the session, will be able to analyse and forward

the packet without always sending packets to HA3 link. Am I right ?

In my original question, what about the 10ms RTT between our 2 PAs ?

Thanks for your help Smiley Wink

- Benjamin

0 Likes Likes

Go to solution
ncampagna
Palo Alto Networks Guru
In response to bdaussin

‎01-04-2012 08:19 AM

Hi Benjamin,

Hello,

Thanks you for your answer Nick

With a symmetrical routing design, If I anderstand well, only the session setup ( first few packets ) will be sent through the HA3 link, so

it should not be so dramatic. Once the session has been established, the PA which owns the session, will be able to analyse and forward

the packet without always sending packets to HA3 link. Am I right ?

[NC] You've got it! 

In my original question, what about the 10ms RTT between our 2 PAs ?

[NC] You'll have to look at your specific applications and their tolerance for latency.  Since this 10ms RTT will typically only affect the session for the first few packets, I don't anticipate any issues. 

Thanks for your help

- Benjamin

Thanks,

Nick

0 Likes Likes
  • 1 accepted solution
  • 3250 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks