12-14-2018 10:09 AM
I have both PA-3220 HA1-A and HA1-B links connected back to back to each other with a previously verified cable but only HA1 is coming up greeen while HA1 Backup is showing down. The HA1-B interface LEDs on both PA-3220 show green.
Any feedback or suggestion is greatly appreciated.
12-16-2018 03:21 PM
What release are you on? In 8.1.4 there's a bug involving the HA1-B does not come up as expected. Fixed in 8.1.4-h2 and later.
From the release note on 8.1.4-h2:
PAN-107271 | Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected. |
05-20-2019 06:15 AM
Same issue on PA-3260, PAN-OS 8.1.7... I'm asking to the customer support.
06-06-2019 02:21 PM
Same issue on PA-3220 with PAN-OS 8.1.8.
11-23-2020 02:48 AM
Looks like this issue came back in 9.1.6...
11-25-2020 11:55 PM
Same here, 3250 ha1 backup down, directly connected.
11-26-2020 12:10 AM - edited 05-25-2021 04:26 PM
FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was).
Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup)
Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.
This workaround should bring up the HA1 Backup.
Hope this helps!
* Refer to my blog with screenshots.
https://www.analysisman.com/2018/12/pan-3220-ha1backup.html
11-26-2020 12:47 AM
Thanks for advice, i've noticed it before. It looks like PA is very devoted to management interface, even if there is no port chosen, management is used 🙂
Also this behaviour is observed after migration from older PA. As far as i see there is couple places where imported config has some artefacts comparing to manually made changes.
Tomek
11-26-2020 01:55 AM - edited 11-26-2020 02:03 AM
Issue is in 9.1.5 too, running 3220s also.
Had to swap port back and forth from ha1-b to mgmt as suggested
I assume PA are aware of it?
11-26-2020 04:53 AM
On the 3250 , 9.1.6 also passive PA reboot was required to made ha1-b back as active.
Tomek
11-27-2020 05:58 AM
Hi,
Same problem on a PA-3250 cluster just after upgrading to 9.1.5. Additional reboot needed just to bring the HA1-b Up again.
Br.
01-15-2021 11:47 AM
Same issue on a pair of 3320s. Rebooted the passive firewall, but no change, still red.
01-16-2021 09:23 AM - edited 01-16-2021 09:25 AM
We are running PA 3260 in Active passive PAN OS 9.1.5 and 8.1.9.
No issues so far.
Regards
01-23-2021 02:36 PM
For me - it was also necessary to repeat these steps on the passive node
02-02-2021 05:51 AM
Try configuring gateway in ha port configuration, pointing one firewall to other.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
