This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA Link and Path Monitoring

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA Link and Path Monitoring

Go to solution
JonHill
L1 Bithead

‎01-14-2019 05:32 AM

We've configured HA Active\Passive on a pair of 5250's running PAN-OS 8.1.5 and it works a treat and pre-emption also works as expected.

 

I've configured Link monitoring so if we get an HA failure if the trusted links fail which works and it fails over to the passive as expected but when the links come back it doesn't fail back again to the active unit.

 

Does Pre-emption work with Link and Path monitoring and if it does how is it configured?

 

Any help would be much appreciated.

 

Thanks

 

Jon

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
reaper
Cyber Elite
Cyber Elite

‎01-14-2019 08:46 AM

hi @JonHill

 

Pre-emption will wait an amount of time after a failover and then try to 'fall back' to the original setup

If after a configurable amount of retries the active device still has link monitor failures, the passive device will take over permanently until you manually fail over

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

11 REPLIES 11

Go to solution
reaper
Cyber Elite
Cyber Elite

‎01-14-2019 08:46 AM

hi @JonHill

 

Pre-emption will wait an amount of time after a failover and then try to 'fall back' to the original setup

If after a configurable amount of retries the active device still has link monitor failures, the passive device will take over permanently until you manually fail over

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
OtakarKlier
Cyber Elite
Cyber Elite

‎01-14-2019 08:46 AM

Hello,

I take it you have it preemption enabled on both devices?

 

Preemptive—Enables the higher priority firewall to resume active (active/passive) or active-primary (active/active> operation after recovering from a failure. The Preemption option must be enabled on both firewalls for the higher priority firewall to resume active or active-primary operation upon recovery following a failure. If this setting is off, then the lower priority firewall remains active or active-primary even after the higher priority firewall recovers from a failure.

Go to solution
JonHill
L1 Bithead
In response to reaper

‎01-15-2019 12:42 AM

As you say it was down to the speed at which I re-enabled the interfaces that it had permanently stayed with the peer.

 

Is there anyway of changing these timers and where do I find them?

 

Thanks 

0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to reaper

‎02-15-2019 01:03 PM

for this we should have pre enabled on both active and passive right.

Our Active PA has priority 80 and passive has 100.

 

Link Monitoring is only configured on Acitve PA.

 

With this config  when link on Active PA is down and passive should takover the active role untill link on Active PA is up right?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to MP18

‎02-15-2019 01:35 PM

The timers can be changed in the HA configuration

@MP18 pre-emption is a timing mechanism that will try to restore HA after a certain amount of time.
After the timer runs out the cluster will try to fail back, if the downed interface persists the cluster will fail again this for 3 consecutive tries and then the cluster will permanently fail to the secondary device till an admin fixes the problem and manually fails back

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to reaper

‎02-15-2019 01:37 PM - edited ‎02-15-2019 01:38 PM

so when link Monitoring interface comes up then the active PA  which is currently passive will take over right?

How does Passive PA which becomes active will know if Link monitor interface comes up ?

Via HA1 link?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to MP18

‎02-15-2019 11:19 PM

No it will not
Pre-emption uses timers, the cluster does not fail back when a monitor returns to normal
Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to reaper

‎02-16-2019 12:05 AM

1>So it means when Link Monitored Interface on the Passive PA comes back up then PAssive PA  has no way to know that

even through HA1 then as Prempt times is expired also right?

 

2>So in this case user has to do the manual failover like PA which become Active we should suspend it right?

 

3>how much is preemt timer? before newly Active PA  stops checking   with Passive PA?

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to MP18

‎02-17-2019 02:14 PM

Hi Reaper,

 

IF you can answer the questions please?

This stuff I never know before

 

Best Regards

Mike

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

Go to solution
reaper
Cyber Elite
Cyber Elite
In response to MP18

‎02-18-2019 11:22 PM

1. pre-emption does not take any monitors into account. It is designed to assume a network outage is either a very temporary issue (fail back upon timer) or a very lengthy issue (fail permanently and wait for admin)

 

2. if the outage has taken longer than the (hold time x pre-emption attempts), the cluster will settle with the secondary being active until an admin takes action. to manually fail it back, you shourd first ascertain the primary's root issue is solved and then shortly suspend the secondary

 

3. the default preempt hold time is 1 minute [1-60], but is configurable if you access the advanced timer settings

'Flaps Max' indicates how many times preempt is allowed to 'try' before permanently failing, and is 3 by default [0-16]

preempt hold time.png

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Go to solution
MP18
Cyber Elite
Cyber Elite
In response to reaper

‎02-19-2019 08:35 AM

MAny Thanks for replying back in detail.

Lot to learn from here

MP

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1 accepted solution
  • 7785 Views
  • 11 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks