HA Cluster Topologies and experiences

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA Cluster Topologies and experiences

L4 Transporter

Has anyone had some hands on experiences with the new clustering features?   I've read a bit on them, but like the post below, am struggling to make sense of the actual functionality/workability of the finer details needed for this setup as to how it exactly functions for multi data center scalability.  Curious as to how the addressing scheme works in situations where you have multiple active data centers.

https://live.paloaltonetworks.com/t5/general-topics/ha-cluster-network-topology/m-p/365084#M88535

5 REPLIES 5

L5 Sessionator

Depends on the use case. If the goal is service survivability (failover), then clustering is great! Because the session data lives between all the HA pairs. 

 

If the goal is more horizontal scaling (aka utilizing both DCs in real time) that is obviously best accomplished frontended or sandwiched by load balancers.

 

Not an expert by any means, but have 1 customer running this in prod and know the PM for the feature. What questions can I check on for you?

Help the community! Add tags and mark solutions please.

Hi Slick,

We have been trying to configure HA Cluster in our lab environment. We have already tried on two architecture:

i) Three sites as an Active.

SudipRijal_0-1649747438391.png

ii) Active/Passive as in DC and Standalone (Active) as in DR

SudipRijal_1-1649747526117.png

We raised multiple tickets in support portals but none of the representative were able to support effectively on this. What actually HA Cluster does? If the primary firewall goes down, it is responsible for session synchronization to the cluster members and traffic should to transferred to another member on the cluster, right? Since, configuration on all of the devices are same. We got ARP conflict on each of the firewall in the cluster. But, we assumed that it would be managed by the clustering itself right? We got some ip conflict related issues.

The KB we referred is:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/ha-clustering-overview

 

 

 

 

I believe there is a single support team for this feature, which is why we highly recommend this feature be implemented through professional services. Yes, if a firewall pair goes down then the cluster should pick a new cluster member to move traffic to. 

 

The ARP and IP addresses become the same through the failover. That's how a seamless failover event is created. For example, I have an A/P firewall pair right now, if the primary fails, the same MAC/IP addresses are taken by the passive. Same concept in HA4

Help the community! Add tags and mark solutions please.

@LAYER_8  I thought that the mac/ip addresses were completely different in a cluster setup - it was specifically just for state?  MAC/IP only stay the same in an HA pair, not throughout the cluster?

Ah yes, worthwhile correction. Apologies

Help the community! Add tags and mark solutions please.
  • 3597 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!