HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down
cancel
Showing results for 
Search instead for 
Did you mean: 

HA Configuration on PA-3220 - HA1 is UP but HA1 Backup is Down

L1 Bithead

 

I have both PA-3220 HA1-A and HA1-B links connected back to back to each other with a previously verified cable but only HA1 is coming up greeen while HA1 Backup is showing down. The HA1-B interface LEDs on both PA-3220 show green.

 

Any feedback or suggestion is greatly appreciated.

 

 

PassivePassiveHA Setup BHA Setup BHA Setup AHA Setup AActiveActive

19 REPLIES 19

L1 Bithead

What release are you on? In 8.1.4 there's a bug involving the HA1-B does not come up as expected. Fixed in 8.1.4-h2 and later.

 

From the release note on 8.1.4-h2:

 

PAN-107271
Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.

Same issue on PA-3260, PAN-OS 8.1.7... I'm asking to the customer support.

--
Linus Torvalds does not push the toilette flush button, he just says "make clean".

L3 Networker

Same issue on PA-3220 with PAN-OS 8.1.8.

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

Looks like this issue came back in 9.1.6...

Same here, 3250 ha1 backup down, directly connected.

L3 Networker

FYI - Here is a workaround for someone who wants to bring up the HA1 Backup before fixing it by upgrading the PAN-OS (if it's a bug - last time it was).

Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup)
Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.

This workaround should bring up the HA1 Backup.
Hope this helps!

* Refer to my blog with screenshots.
https://www.analysisman.com/2018/12/pan-3220-ha1backup.html

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

Thanks for advice, i've noticed it before. It looks like PA is very devoted to management interface, even if there is no port chosen, management is used

 

Also this behaviour is observed after migration from older PA. As far as i see there is couple places where imported config has some artefacts comparing to manually made changes.

 

Tomek

Issue is in 9.1.5 too, running 3220s also.

 

Had to swap port back and forth from ha1-b to mgmt as suggested

 

I assume PA are aware of it?

On the 3250 , 9.1.6 also passive PA reboot was required to made ha1-b back as active.

 

Tomek

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!