HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

Reply
L1 Bithead

HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

 

I have both PA-3220 HA1-A and HA1-B links connected back to back to each other with a previously verified cable but only HA1 is coming up greeen while HA1 Backup is showing down. The HA1-B interface LEDs on both PA-3220 show green.

 

Any feedback or suggestion is greatly appreciated.

 

 

PassivePassiveHA Setup BHA Setup BHA Setup AHA Setup AActiveActive

L1 Bithead

What release are you on? In 8.1.4 there's a bug involving the HA1-B does not come up as expected. Fixed in 8.1.4-h2 and later.

 

From the release note on 8.1.4-h2:

 

PAN-107271
Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.
L2 Linker

Same issue on PA-3260, PAN-OS 8.1.7... I'm asking to the customer support.

--
Linus Torvalds does not push the toilette flush button, he just says "make clean".
L3 Networker

Same issue on PA-3220 with PAN-OS 8.1.8.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
L0 Member

Looks like this issue came back in 9.1.6...

L1 Bithead

Same here, 3250 ha1 backup down, directly connected.

L3 Networker

FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was).

Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup)
Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.

This workaround should bring up the HA1 Backup.
Hope this helps!

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
L1 Bithead

Thanks for advice, i've noticed it before. It looks like PA is very devoted to management interface, even if there is no port chosen, management is used

 

Also this behaviour is observed after migration from older PA. As far as i see there is couple places where imported config has some artefacts comparing to manually made changes.

 

Tomek

L2 Linker

Issue is in 9.1.5 too, running 3220s also.

 

Had to swap port back and forth from ha1-b to mgmt as suggested

 

I assume PA are aware of it?

L1 Bithead

On the 3250 , 9.1.6 also passive PA reboot was required to made ha1-b back as active.

 

Tomek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!