05-10-2024 01:38 AM - edited 05-10-2024 01:42 AM
HA Condition - Link Monitor Recovery - Time to retake Active Link Monitor role
Hello Community, how is everything going, I hope it's going well.
I have the following questions regarding HA.
Details of the environment.
Active - Passive A/P
Principal PA - PA-52XX-01-HA - Priority 50
Secondary PA - PA-52XX-02-HA - Priority 100
Preemtive active
Link State Passive - Auto
Link monitor interfaces eth1/1 - eth1/2 - eth1/3 - eth1/4 - in VWIRE mode ( If "any" fails apply failover ).
We understand that when there is a restart of the PA-01 firewall, priority 50, the role is assumed by the PA-02, after the main firewall restarts, because of the preemtive value, it waits for 1 minute and takes control again.
Now I have the following doubt, I will describe the specific situation:
PA-01 active, two interfaces fail - PA-02 assumes active role ---- Operates a few minutes on Secondary PA-02 with active role all good. It recovers from the failure condition of the two interfaces. How long does it take to assume the role again, once it has recovered from the failure condition? I understand it is immediately under the Promotion Hold Time (ms) timer 2000/500 ms.
Now if it is 1 minute, like the example of the restart, is it possible to recover the role immediately, that is, the failure condition is recovered, the failure condition of the Link Monitor is restored and that it does not wait a minute, but immediately, adjustable or as fast as possible the PA-01 of HA Active resumes the role ????
Detail Doc HA timers Info:
Promotion Hold Time (ms)
Time that the passive firewall (in active/passive mode) or the active-secondary firewall (in active/active mode) will wait before taking over as the active or active-primary firewall after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made.
2000/500.
Preemption Hold Time (min)
Time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.
1/1
Thank you very much for your kindness, cooperation and your time.
I remain attentive
Best regards
05-24-2024 02:59 PM
Hi @Metgatz .
As described in the documentation (which you probably already have seen) - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/ha-timers
You have three options for setting HA timers:
- Recommended (used by default)
- Aggressive - using shorter, but still predefined value for each HA timer
- Advanced/Custom - where you can set custom values for each timer
Lets breakdown the two scenarios as different timers are being used:
Active FW reboot/going down
- When active FW is going down for reboot, it will stop sending hello keepalives to standby.
- This will start the "Promotion Hold Timer", which is 2sec by default and 0.1 with "Aggressive" timers
- After primary firewall is back online, it will way for "Preemption Hold Time", which is 1min before promote itself as active again
Link Monitor failure:
- "Monitor Fail Hold Up Time" is set to 0ms with recommended and aggressive settings. This means that secondary FW will become active immediately the primary report interface down
- When primary FW restore the interface and clear the link monitor alarm, the "Preemption Hold Time" is started. After 1min it will take the active role again.
Note: "Promotion Hold Timer" will be used only when members loss connectivity over HA links, basically stop sending/receiving keepalives. This timer will not be used in case primary member is alive, but there is link monitor event.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
