HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

L1 Bithead

 

I have both PA-3220 HA1-A and HA1-B links connected back to back to each other with a previously verified cable but only HA1 is coming up greeen while HA1 Backup is showing down. The HA1-B interface LEDs on both PA-3220 show green.

 

Any feedback or suggestion is greatly appreciated.

 

 

PassivePassiveHA Setup BHA Setup BHA Setup AHA Setup AActiveActive

21 REPLIES 21

L1 Bithead

What release are you on? In 8.1.4 there's a bug involving the HA1-B does not come up as expected. Fixed in 8.1.4-h2 and later.

 

From the release note on 8.1.4-h2:

 

PAN-107271
Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.

Same issue on PA-3260, PAN-OS 8.1.7... I'm asking to the customer support.

L3 Networker

Same issue on PA-3220 with PAN-OS 8.1.8.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

Looks like this issue came back in 9.1.6...

Same here, 3250 ha1 backup down, directly connected.

L3 Networker

FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was).

Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup)
Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.

This workaround should bring up the HA1 Backup.
Hope this helps!

* Refer to my blog with screenshots.
https://www.analysisman.com/2018/12/pan-3220-ha1backup.html

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

Thanks for advice, i've noticed it before. It looks like PA is very devoted to management interface, even if there is no port chosen, management is used 🙂

 

Also this behaviour is observed after migration from older PA. As far as i see there is couple places where imported config has some artefacts comparing to manually made changes.

 

Tomek

Issue is in 9.1.5 too, running 3220s also.

 

Had to swap port back and forth from ha1-b to mgmt as suggested

 

I assume PA are aware of it?

On the 3250 , 9.1.6 also passive PA reboot was required to made ha1-b back as active.

 

Tomek

L0 Member

Hi,

 

Same problem on a PA-3250 cluster just after upgrading to 9.1.5. Additional reboot needed just to bring the HA1-b Up again.

 

Br.

 

L3 Networker

Same issue on a pair of 3320s. Rebooted the passive firewall, but no change, still red.

@aarato 

 

We are running PA 3260 in Active passive PAN OS 9.1.5 and 8.1.9.

No issues so far.

 

Regards

MP

Help the community: Like helpful comments and mark solutions.

For me - it was also necessary to repeat these steps on the passive node

L0 Member

Try configuring gateway in ha port configuration, pointing one firewall to other. 

  • 24066 Views
  • 21 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!