Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA and Device Priority

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA and Device Priority

L4 Transporter

HA active device

Upon initial configuration the device with the lowest priority, value close to zero, becomes the active unit (default priority is 100). If two devices have the same priority value, the device with the lowest MAC address of the HA1 link becomes the active unit.

Can someone give me real world example of when both FWs would have same priority, and why would they be configured as such.

Thanks

14 REPLIES 14

L6 Presenter

A couple of reasons I can think of:

1) Misconfiguration due to lack of knowledge?

2) Misconfiguration due to lack of reading the manual?

3) Copy-paste monster (you copy the config of one device to make it equal on another and woops, forgets to change the prioritys).

L5 Sessionator

If you are not using the "Preempt" feature in Active/Passive HA then two devices having the same priority should be of no consequence.

this

Hello,

I always like to set on lower than the other so I dont fall into a split brain scenario. 

 

Regards,

This would only happen if it couldn't communicate with the secondary box correct?  If you had device priority set differently, if you don't have preemption enabled, it's not going to make a difference--only the communication between the boxes is going to matter right?  Help me understand this one, but with premption disabled, and device priority equal, as long as the boxes can communicate/interface monitor the correct interfaces, that preemption checkbox does not matter.   Also, If you have preemption disabled, and priorities different, only if the boxes can't communicate between each other, your going to get a split brain.  With preemption enabled, then it matters, as as soon as the lower numbered device comes back online, it's going to fail back over to that device.  So, with device priority being equal, the HA1 mac comes into play.   I'm thinking your saying that if they can't communicate over HA1 and lose connectivity, this could be a problem, even if heartbeat backup is enabled, as the systems can't read their MAC addresses and tell which is lower number---or maybe that flows through the heartbeat backup?  Has anyone tested this with equal priorities, and loss of HA1 interface?

 

 

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClE9CAK

i have testes with same priority 100

device with lower HA1 mac becomes active

MP

Help the community: Like helpful comments and mark solutions.

Yes i can confirm this as well.  But what happens if HA1 goes down, you have hearbeat backups enabled, and priority is the same?

i testesd with ha1 backup down and same priority.

i was trying to create split brain scenario.

MP

Help the community: Like helpful comments and mark solutions.

what was your result?

Both PA become active active as HA1 and HA1 backup link was down.

MP

Help the community: Like helpful comments and mark solutions.

This would still happen with different prioities though as well wouldn't it?

yes it will still happen with different priorities.

MP

Help the community: Like helpful comments and mark solutions.

makes sense.  so basically if you lose your ha1 or backup ha1 your stuck. 

yes that's how it is

MP

Help the community: Like helpful comments and mark solutions.
  • 7838 Views
  • 14 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!