Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
09-28-2019 10:19 AM
Hi,
When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?
Thanks
10-01-2019 01:56 AM
I manage an HA active/standby pair of PA-5220, and we had to switch from ethernet to IP based HA because of AUX ports limitations and bug PAN-105737 (*). We surely could have solved it with a minimal configuration, but we opted to fully configure all HA interfaces (i.e. ip, netmask and gateway). We must use AUX ports because we are about to split the couple in two different datacenters.
(*) If you use the AUX 1 or AUX 2 interface and you do not configure an IP address, network mask, and default gateway for the interface, the interface will not come up when you upgrade the firewall to PAN-OS 8.1.7. The most common use of AUX interfaces is to configure AUX ports as HA1 and HA1 Backup interfaces for fiber connections on PA-5200 Series firewalls in an HA configuration.
10-01-2019 06:34 AM - edited 10-01-2019 06:36 AM
@junior_r wrote:Hi,
When I configure HA for data link I use Ethernet when devices are directly connected to each other, but sometimes in the field I see people using IP for transport but the devices are directly connected to each other. Why are they doing this? There is no reason to do it unless it needs to route. Can someone help me understand there logic?
Thanks
I've got a A/P 5220 pair split between DCs that are over 500 miles apart. Latency between both DCs is < 20ms and we have no issues. In our case using IP allows for DC redundancy via 2 geographically separated DCs. The networks for both HA1/2 are just L2 networks with no router so the FWs talk directly 2 each other.
10-01-2019 07:48 PM
Are you using HSCI ports for HA2 Data links?
Which SFP are you using for HA2 Data links?
10-01-2019 11:56 PM
HSCI: no, we are using AUX ports and a couple of regular SFP+ ports (eth1/5 and eth1/6)
Which SFP: since we need "colored" DWDM links, we are using Solid Optics Cisco-compatible 10Gbit ZR ones.
10-02-2019 12:02 PM
@MP18 wrote:Are you using HSCI ports for HA2 Data links?
Which SFP are you using for HA2 Data links?
Just using the embedded copper port on the 5220.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
