I have a cluster of two firewalls in high availability HA. Today have switched (failover) and I do not understand Why?.
And I would like to know what could cause this?
I have reviewed the system logs, I do not see previous logs to restart. Is this normal?
Can I recover previous system logs to restart?
Is there any way to see a historical percentage of consumption of system resources (CPU Management and Data Plane CPU)?
Is there any way to make a test (check) hardware firewall?
There can be number of reason why the failover occurred. System logs around the time of failover from both device would be a good place to start. To look for memory consumption you can look for "> less mp-log mp-monitor.log" and navigate through --top output, there you will see difference processes with different levels of cpu and memory consumption. But these kind of issues, I will suggest you opening a support case. Hope this helps. Thank you.
We have seen this before as well. We are on code 6.0.6 and there are notes in the newer code 6.0.8 that refer to automatic fail over with respect to data plane issues. Is a though one so I recommend opening a support case. In our case it was related to the path/route monitoring, the PAN thought it lost path but in reality it did not.
The reason why the fail-over occurred *should* be in the logs of the device that was active previously.
Are you still able to connect to the out-of-band MGT network interface of the failed device? If so, hopefully you will be able to see the logs up until the time of failover. Logs are not synchronised between devices.
You can also filter the system logs by the event type 'critical', that will show you something similar to:
HA Group 1: Path group \'VirtualRouter\' failure; one or more destination IPs are down
This is just one type of message. But you still see a HA event. dyoung is correct, check the logs of both devices or the panorama or m100 is you have one.
We only see in the palo alto logs when the system start to be up. We opened a case with PA and they told us that in the logs we dont see anythign about a FW´s problem, that maybe it could be a power outage problem or electric suminis but the FW hadnt any electric problem.........a PA X-files :S
If you are not seeing any logs prior to the restart on the failed device then this is strange. How do you connect to your PA device to check logs please? Via MGT interfaces or one of the firewall interface IPs?
If your failed device had a power issue then there should be log entries reporting the loss of heartbeat connection to peer device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!