10-30-2012 09:52 PM
Dear Support:
I want to know how long will the Standby PA become active ?
According to the HA best practice , Running @ PA2020 & 4.1.8
the HA statue is normal , all things are match
and the link monitor had setup , interface monitor set to shutdown
I ping 8.8.8.8 -t at the internal network
I unplugin one of data interface , and the standby PA becomse Active
but can;t ping 8.8.8.8 ,
I had already set the swithport to portfast mode
and I can ping 8.8.8.8 after around 90 seconds
Is it normal ? and any advise ? thanks
10-31-2012 12:21 AM
According to the default settings for HA are:
"
pa- 2000 hello interval - 8 sec, heart beat interval - 2sec, promotion hold time- 2 sec and preemption hold time -1 sec
"
which gives that if the current active device goes away it will take 6 seconds (3 * heartbeat) before the passive device takes over the traffic.
If you manually restart the current active device then the passive should take over straight away because the device being rebooted will send a signal to the passive device to take over.
If you have to wait 90 seconds and use default HA settings in your PA cluster I would think you have some other malfunction somewhere on the road.
I would try to setup a packet capture on the devices before and after your PA to find out if your portfast is really working as expected or not.
10-31-2012 12:21 AM
According to the default settings for HA are:
"
pa- 2000 hello interval - 8 sec, heart beat interval - 2sec, promotion hold time- 2 sec and preemption hold time -1 sec
"
which gives that if the current active device goes away it will take 6 seconds (3 * heartbeat) before the passive device takes over the traffic.
If you manually restart the current active device then the passive should take over straight away because the device being rebooted will send a signal to the passive device to take over.
If you have to wait 90 seconds and use default HA settings in your PA cluster I would think you have some other malfunction somewhere on the road.
I would try to setup a packet capture on the devices before and after your PA to find out if your portfast is really working as expected or not.
10-31-2012 04:36 AM
In my experience it is often the switches that cause the delay and not the PA devices. I have a 2020 HA pair running with pretty speedy failover, though it can always be better!
If you look at the units when you try a failover you should see all the activity lights on the ports go off on one unit and light up on the other unit. When these light up, the PA unit will be ready to start passing data, so your switch needs to get going too!
You said you were testing this by unplugging a data interface - what sort of experience do you get when you do a controlled failover? Device / HA / Operational Commands / Suspend local device
Also, are you using striaght through or crossover cables between the units?
10-31-2012 05:10 AM
any differents with striaght through or crossover cables?
we now HA1 is crossover , HA2 is striaght through
11-02-2012 03:18 PM
I'd verify that the passive node takes up when you think it should. Open cli sessions and verify that your trigger is working as expected. See https://live.paloaltonetworks.com/docs/DOC-3838 for a quick list of commands to use.
Second, I'd make sure that Device->High Availability->General->Active/Passive Settings->Passive Link State, is set to auto. As already mentioned, make sure your upstream switch is configured correctly for the PANs ports (spanning-tree disabled).
If you have a visio to share, post it. It's good to have everyone on the same page.
Good luck,
Mike
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
