HA down PA-220

cancel
Showing results for 
Search instead for 
Did you mean: 

HA down PA-220

L1 Bithead

I've a pair of PA-220 configured as cluster. After power off - on HA is down. But I can connect to both firewalls via https & ssh.
Active fw1 shows that HA ports 7 & 8 are down (red in GUI). On passive firewall fw2 all ports are grey.
But the real strange thing is, when looking into running-config (CLI), on active fw1 all the HA config is missing.
On passive (ok, not really passive, because HA is down) fw2 all the HA config in running-config is shown (CLI).
But when I enter the command "show high-availability state" fw2 shows "HA not enabled".
And "show interface all" gives me an error.
For me it would make sense, if fw1 would show this error, because of missing part in running-config.
Connections are working, I can reach all the stuff behind the firewall.

user@fw2> show high-availability state
HA not enabled

user@fw2> show interface all
Server error : An error occured. See dagger.log for information.

 

user@fw1(active)> show high-availability state
Group 1:
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 4 days)

user@fw1(active)> show interface all

total configured hardware interfaces: 9
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/2 17 1000/full/up 00:1b:17:
ethernet1/3 18 1000/full/up 00:1b:17:
ethernet1/5 20 1000/full/up 00:1b:17:
ethernet1/7 22 ukn/ukn/down(autoneg) 34:e5:ec:
ethernet1/8 23 ukn/ukn/down(autoneg) 34:e5:ec:

 

Is there a change to bring up the HA from remote (site is far, far away) with only minimum interrupt (reboot)?
Thanks.

1 ACCEPTED SOLUTION

Accepted Solutions

Cyber Elite
Cyber Elite

@ChrisCon,

I agree with @Astardzhiev that this is likely a hardware issue, but since you're also getting server errors it could also easily be a software issue that can be resolved with a reload of the firewall. 

I would however actually caution against reloading either firewall until you have someone on-site that can actually troubleshoot what is going on. The reason for this is simply that restarting the fw2 and/or fw1 while something is in this sort of state could actually cause a split-brain situation. Since the network is "functional" and this isn't actively causing any issues outside of the lose of HA, I wouldn't want to introduce something that actually ends up effecting traffic by attempting to fix the issue until I'm on-site with the hardware. 

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

Hi @ChrisCon ,

 

It sound like hardware issue for me...Have you tried to power cycle (reboot) it again?

Cyber Elite
Cyber Elite

@ChrisCon 

 

Check System logs in GUI and from CLI

Check below logs

 

less mp-log ha_agent.log

 

Also troubleshoot why HA ports are down?

Check Physical connections.

IF HA is enabled on both firewalls then if physical interfaces are up again then your issue should be fixed.

 

Regards

 

Regards

Mahesh

MP

Cyber Elite
Cyber Elite

@ChrisCon,

I agree with @Astardzhiev that this is likely a hardware issue, but since you're also getting server errors it could also easily be a software issue that can be resolved with a reload of the firewall. 

I would however actually caution against reloading either firewall until you have someone on-site that can actually troubleshoot what is going on. The reason for this is simply that restarting the fw2 and/or fw1 while something is in this sort of state could actually cause a split-brain situation. Since the network is "functional" and this isn't actively causing any issues outside of the lose of HA, I wouldn't want to introduce something that actually ends up effecting traffic by attempting to fix the issue until I'm on-site with the hardware. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!