This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA Link Monitor Issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Link Monitor Issue

Go to solution
renzanjo11
L3 Networker

‎09-03-2024 07:40 PM

Hi everyone!

 

I am having some confusion on HA Link Monitoring and Failover. I did exactly the same thing with video courses and Palo alto document guide but it still doesn't work

For context, i am monitoring my eth1/2 and eth1/3 for failover. So i shut down the G0/0 interfaces of the routers directly connected to them and still there's no failover. I even configured the ethernet interface in Palo Alto to "down" state but no good. Am I missing something here?

renzanjo11_0-1725417374901.png

renzanjo11_1-1725417398285.png

 

renzanjo11_2-1725417418512.png

 

 

Thank you in advance!

0 Likes Likes
2 accepted solutions

Accepted Solutions

Go to solution
emr_1
L5 Sessionator
In response to renzanjo11

‎09-03-2024 09:05 PM

From reply for #1, that's the reason.

Link Monitoring keeps looking for link status of specified ports. To trigger it, you need to link-down that ports.

Try to unplug LAN cable on both ports, I believe it works. (icon will change to RED and fail-over should be occurred)

View solution in original post

0 Likes Likes

Go to solution
CosminM
L4 Transporter

‎09-03-2024 11:00 PM

Hi @renzanjo11 

In any virtual environment (like EVE-NG) the link status will not be down even you shut down the other ending port of the link.

In such use cases, for VM firewalls in HA you can use Path Monitoring as failover trigger.

Cheers,
Cosmin

Don't forget to Like items if a post is helpful to you!
Please help out other users and “Accept as Solution” if a post helps solve your problem!

Read more about how and why to accept solutions.

View solution in original post

8 REPLIES 8

Go to solution
emr_1
L5 Sessionator

‎09-03-2024 07:51 PM

I need two more information to answer your question.

 

#1

Does the status of eth1/2 and 1/3 change to linkdown after you shutdown G0/0?

In another words, GREEN should be changed to RED as below.

2024-09-04 11 45 45.png

 

#2

What is the device status of peer device?

Fail-over occurs only when peer device is ready for fail-over which means peer device have to be "passive" if you are configuring active-passive.

If it is other status such as non-functional, suspended, etc., it does not fail over.

 

0 Likes Likes

Go to solution
renzanjo11
L3 Networker
In response to emr_1

‎09-03-2024 08:31 PM

Hi!

 

#1

When I shut down the G0/0, my Palo Eth interfaces still shows green. 

 

#2

The status shows active-passive

HQ-FW as active and HQ-FW-2 as passive

0 Likes Likes

Go to solution
emr_1
L5 Sessionator
In response to renzanjo11

‎09-03-2024 09:05 PM

From reply for #1, that's the reason.

Link Monitoring keeps looking for link status of specified ports. To trigger it, you need to link-down that ports.

Try to unplug LAN cable on both ports, I believe it works. (icon will change to RED and fail-over should be occurred)

0 Likes Likes

Go to solution
renzanjo11
L3 Networker
In response to emr_1

‎09-03-2024 10:42 PM

I tried removing the link and the port still shows green. Is there something wrong with EVE-NG? I am trying this with EVE-NG.

renzanjo11_0-1725428490514.png

 

renzanjo11_1-1725428528038.png

 

0 Likes Likes

Go to solution
CosminM
L4 Transporter

‎09-03-2024 11:00 PM

Hi @renzanjo11 

In any virtual environment (like EVE-NG) the link status will not be down even you shut down the other ending port of the link.

In such use cases, for VM firewalls in HA you can use Path Monitoring as failover trigger.

Cheers,
Cosmin

Don't forget to Like items if a post is helpful to you!
Please help out other users and “Accept as Solution” if a post helps solve your problem!

Read more about how and why to accept solutions.

Go to solution
emr_1
L5 Sessionator
In response to renzanjo11

‎09-03-2024 11:05 PM

Ah, you are using PA-VM, I thought it is related to hardware appliance.

Even I'm not familiar with EVE-NG, seems EVE-PRO provides the feature related to link state.

If this doesn't work, maybe using path monitoring is easier than link monitoring.

 

https://www.eve-ng.net/index.php/documentation/professional-cookbook/

 

2024-09-04 15 00 35.png

0 Likes Likes

Go to solution
renzanjo11
L3 Networker
In response to emr_1

‎09-03-2024 11:58 PM

Hi @emr_1 , yep! This one is available on the pro i believe. But I resorted back to Path monitoring instead since I got a VM firewall. Much less of a headache 😄 
Thank you very much!

0 Likes Likes

Go to solution
renzanjo11
L3 Networker
In response to CosminM

‎09-03-2024 11:59 PM

Hi @CosminM , indeed! I tried path monitoring. Gave me much better reconvergence and failover. This is noted for VM deployments. Thank you very much! 

0 Likes Likes
  • 2 accepted solutions
  • 865 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks