- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-05-2011 02:26 AM
Hello,
I have tried to setup an Active/Active cluster, based on the "PAN-OS Active/Active High Availability - Configuring active/active clusters" technote. I am pretty sure that I have understood and followed the guide correctly.
However, regardless of the Session Owner, Session Setup and Virtual Address settings, the cluster did not seem to failover correclty.
In each test I have disconnected an ethernet link from the Primary PaloAlto device. The results varied, depending on the HA settings:
a) the failover did not happen at all
b) the virtual address 'failed-over' to the Secondary device correctly; However, after ~20 seconds the Secondary device stopped forwarding traffic from this segment. It resumed forwarding traffic after another 10-15 seconds. Then it stopped again - it kept repeating.
All the while, no additional changes were made to the physical connections.
c) the virtual address 'failed-over' to the Secondary device correctly, but only after half-a-minute or so.
I have also done a test, where I suspended the Primary device. The traffic 'failed-over' correctly, but PaloAlto device seemed to randomly stop forwarding it for short periods of time (situation simmilar to point 'b' above).
During the tests I have been observing the MAC address tables on switches and ARP tables on hosts - it seemes that the Gratuitous ARP packets were sent out correctly by the PaloAlto devices.
While using the same topology and devices with Active/Passive configuration, I had no problems whatsoever and failovers happened correctly with no issues.
The tests were carried out using two PA5050 devices, using 4.0.7 and 4.1.0 software versions.
Has anyone successfully deployed and tested Active/Active cluster?
If so, could you please share the High-Availability part of configuration?
Kind regards,
11-09-2011 12:16 AM
@darkfibre:
We have numerous customers with successful Active/Active deployments. Without looking at the specific settings of your test scenarios I would be reticent to offer up any reasons behind the failures that you describe.
If you would be willing to share the configuration settings of your test environment(s) in this thread we can probably figure out if you have encountered a bug or a configuration mishap.
Or if you prefer you can open a case with the support team to get to the bottom of the problems that you describe.
Thank you,
Benjamin
11-10-2011 10:02 AM
Hello darkfibre,
Have you been able to find a solution to the issues with Active/Active configuration?
Have a good day.
11-10-2011 10:10 AM
@bpappas, @commcord
Hello,
Still no luck, unfortunately.
I have attached a file with the lab topology that I used for testing, as well as the HA configurations for both devices:
- Active/Passive,
- Active/Active with one floating IP per segment,
- Active/Active with ARP load sharing.
Using the same topology for all tests, Active/Passive setup worked flawlessly and failovers happened as expected.
However, Active/Active configuration didn't seem to work correctly for me, regardless of the Session Setup and Virtual Address settings.
Please let me know if anyone finds an issue with the above configurations.
Kind regards,
darkfibre
11-11-2011 04:36 PM
We reviewed your configuration and it looks ok. What we would like for for a debugging session if possible. what i recommend is to call into support and open a case with support to debug this issue further.
11-13-2011 02:13 AM
@jnguyen
Thank you for your answer.
I have opened a support case just as you suggested.
Will let you know if the problem is resolved.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!