This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA configuring questions?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA configuring questions?

Go to solution
OMatlock
L4 Transporter

‎05-10-2017 01:31 PM

Hi folks,

 

A couple more questions about HA, if you please.

Hopefully my post frequency will reduce after training next week.

(Yes, configuring HA just before the training this weekend)

 

I will configure HA on an existing running production PA-3020 and then add a second as Passive.

  • There should be no network loss or downtime associated with the HA configuration procedure, correct?
  • I could configure HA, sync to Passive, etc. without configuring Link/Path monitoring until we are ready, correct?
  • I am wondering if there are methods to test for flaps on Links and Paths before configuring to determine appropriate timings and avoid unintentional failovers?

Thanks again for the support!

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to OMatlock

‎05-11-2017 10:27 AM - edited ‎05-11-2017 10:28 AM

If switch receives packet it will check if source MAC (device it received it from) is already in MAC table.

If not it will add and then check to what MAC it should go to.

If it does not have destination MAC in the table it will send packet out to all ports exept the one it received packet from.

When reply packet comes it marks down what port this packet came from, update MAC table and furhter traffic flows only between those ports.

 

So if your devices generate traffic most likely switch will update itself fast but biggest issue is with those DNAT rules where you exept traffic in from outside but don't send traffic out from those IPs.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

9 REPLIES 9

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-10-2017 01:48 PM

"There should be no network loss or downtime associated with the HA configuration procedure, correct?"

It depends 🙂

If you enable HA then interface MAC address will change (calculated based on HA group ID) so if network devices have long arp cache then might affect connectivity. After HA IP and MAC is floating from active to passive in case of failover.

 

"I could configure HA, sync to Passive, etc. without configuring Link/Path monitoring until we are ready, correct?"

Yes

 

"I am wondering if there are methods to test for flaps on Links and Paths before configuring to determine appropriate timings and avoid unintentional failovers?"

You can suspend active device to make passive active and verify that you still have connectivity without Path/Link monitor.

 

NB! You have "Sync config to peer" option on both firewalls so config can be pushed to peer from both sides.

If you accidentally click this on new empty device you push empty config to currently active firewall and bring your network down.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
TranceforLife
L6 Presenter

‎05-10-2017 02:14 PM - edited ‎05-10-2017 02:24 PM

"There should be no network loss or downtime associated with the HA configuration procedure, correct?"

It depends 🙂

If you enable HA then interface MAC address will change (calculated based on HA group ID) so if network devices have long arp cache then might affect connectivity. After HA IP and MAC is floating from active to passive in case of failover.

 

 

@Raido_Rattameister do you think gratuitous arp might help with this? 

 

 

  • I am wondering if there are methods to test for flaps on Links and Paths before configuring to determine appropriate timings and avoid unintentional failovers?

Tricky one. Leave all settings as default (recommended) and then adjust timers if need be.

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to TranceforLife

‎05-10-2017 02:33 PM

If I remember correctly then test arp gratuitous will send update for interface IP but not for destination NAT IPs that are behind firewall but don't quote me on that 🙂

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to Raido_Rattameister

‎05-10-2017 02:50 PM - edited ‎05-10-2017 02:55 PM

I am getting scared about the MAC address change.

 

Which interface MAC will change after enabling HA?

I will not be testing failover yet, just configuring HA.

 

After enabling HA (MAC address change), should I expect network switches connected to Active PA to update ARP automatically and connectivity if there is an interuption?  Or do I have to do something manually on the switches to clear ARP cache?

0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to OMatlock

‎05-11-2017 07:22 AM

I found this.

https://live.paloaltonetworks.com/t5/Management-Articles/After-Enabling-Active-Passive-HA-the-Networ...

 

Pretty straight forward, likely will lose connectivity.

 

I am just trying to figure out for how long and how clearing ARP cache on HP 2910al will affect anything else.

All connections (but one) come from one switch.

 

Would clearing the cache on this one switch be good enough?

 

PAHA.jpg

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to OMatlock

‎05-11-2017 07:31 AM

Change switch arp cache to short period or clear arp cache after HA configuration.

Ask ISP how long is their gateway (that is next hop for you) arp cache time and complain if it is over 5 minutes.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

Go to solution
OMatlock
L4 Transporter
In response to Raido_Rattameister

‎05-11-2017 08:53 AM - edited ‎05-11-2017 08:53 AM

Thank you Raido.

I was wondering about the ISP.

 

I guess I was thinking that since the PA is not directly connected to Internet (switch in between), may not have to consider that.

But I probably should call them.

 

If I clear the arp cache on my switch (any switch in general), does it start to re-learn automatically?

Just wondering if there are other implications for other devices in our network after clearing arp cache.

 

Thanks again.  Feels good to get responses right now.  🙂

0 Likes Likes

Go to solution
Raido_Rattameister
Cyber Elite
Cyber Elite
In response to OMatlock

‎05-11-2017 10:27 AM - edited ‎05-11-2017 10:28 AM

If switch receives packet it will check if source MAC (device it received it from) is already in MAC table.

If not it will add and then check to what MAC it should go to.

If it does not have destination MAC in the table it will send packet out to all ports exept the one it received packet from.

When reply packet comes it marks down what port this packet came from, update MAC table and furhter traffic flows only between those ports.

 

So if your devices generate traffic most likely switch will update itself fast but biggest issue is with those DNAT rules where you exept traffic in from outside but don't send traffic out from those IPs.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Go to solution
OMatlock
L4 Transporter
In response to Raido_Rattameister

‎05-11-2017 12:49 PM - edited ‎05-11-2017 12:56 PM

Thanks again Raido.

 

I was just talking to support about it.  He suggested that I could do a dataplane reset after enabling HA on the Primary firewall and that should do G-ARPs to have connected devices/switches update their ARP and MAC tables WITHOUT the need for clearing ARP and MAC tables.

 

I was thinking (to avoid an unintentional failover) I could configure HA on the primary with no HA cables plugged in, restart the dataplane to get the G-ARPs sent out and updated, verify connectivity, then plug in HA cables, enable HA on second device, and do a sync.

 

Of course understanding that there will be network interuption until dataplane is finished restarting...

 

Does that all sound right?

 

dataplane.jpg

0 Likes Likes
  • 1 accepted solution
  • 3700 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks