Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
11-01-2012 08:13 AM
Hi All,
Trying to configure a pair of PA-200's as an active-passive cluster using "HA lite". Right now both devices are showing active, so it seems the nodes do not see each other as cluster members. I have defined one HA link on both firewalls, ethernet1/2...they are connected together via a cross-over cable and both interfaces are showing UP.. I realize that state synchronization is not possible with one HA link, but just looking for config sync. When I do a "show high-availability state" from CLI, I get:
Peer Information:
Connection status: down
Connection down reason: Never able to connect to peer
I have tried to suspend the device with the worse priority...and then make it functional again (hoping it goes into passive state)..but it only goes right back to active. Note I am running 4.1.8 code here.
I have also found a doc that indicates the MGT port is used for HA1 with an HA-lite configuration. Is that true? If so, does that mean I don't need the cross-over on ethernet1/2? Note when I ping the peer HA1 IP address (from either firewall) I simply get back an ICMP "Destination host unreachable" .... I am sure this is a problem!
Below are my configs for this...perhaps I have something missing? Grateful if anyone with this knowledge and experience on HA lite would take a look for me....thanks in advance.
Node 1:
set deviceconfig high-availability group 1 mode active-passive passive-link-state auto
set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1
set deviceconfig high-availability group 1 configuration-synchronization enabled yes
set deviceconfig high-availability group 1 peer-ip 192.168.201.2
set deviceconfig high-availability group 1 election-option device-priority 95
set deviceconfig high-availability group 1 election-option heartbeat-backup yes
set deviceconfig high-availability group 1 election-option preemptive no
set deviceconfig high-availability group 1 election-option promotion-hold-time 2000
set deviceconfig high-availability group 1 election-option hello-interval 8000
set deviceconfig high-availability group 1 election-option heartbeat-interval 1000
set deviceconfig high-availability group 1 election-option flap-max 3
set deviceconfig high-availability group 1 election-option preemption-hold-time 1
set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0
set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500
set deviceconfig high-availability interface ha1 encryption enabled no
set deviceconfig high-availability interface ha1 monitor-hold-time 3000
set deviceconfig high-availability interface ha1 ip-address 192.168.201.1
set deviceconfig high-availability interface ha1 netmask 255.255.255.0
set deviceconfig high-availability interface ha1 port ethernet1/2
set deviceconfig high-availability interface ha1-backup
set deviceconfig high-availability enabled yes
Node 2:
set deviceconfig high-availability group 1 peer-ip 192.168.201.1
set deviceconfig high-availability group 1 configuration-synchronization enabled yes
set deviceconfig high-availability group 1 mode active-passive passive-link-state auto
set deviceconfig high-availability group 1 mode active-passive monitor-fail-hold-down-time 1
set deviceconfig high-availability group 1 election-option device-priority 100
set deviceconfig high-availability group 1 election-option heartbeat-backup yes
set deviceconfig high-availability group 1 election-option preemptive no
set deviceconfig high-availability group 1 election-option promotion-hold-time 2000
set deviceconfig high-availability group 1 election-option hello-interval 8000
set deviceconfig high-availability group 1 election-option heartbeat-interval 1000
set deviceconfig high-availability group 1 election-option flap-max 3
set deviceconfig high-availability group 1 election-option preemption-hold-time 1
set deviceconfig high-availability group 1 election-option monitor-fail-hold-up-time 0
set deviceconfig high-availability group 1 election-option additional-master-hold-up-time 500
set deviceconfig high-availability enabled yes
set deviceconfig high-availability interface ha1 encryption enabled no
set deviceconfig high-availability interface ha1 monitor-hold-time 3000
set deviceconfig high-availability interface ha1 ip-address 192.168.201.2
set deviceconfig high-availability interface ha1 netmask 255.255.255.0
set deviceconfig high-availability interface ha1 port ethernet1/2
set deviceconfig high-availability interface ha1-backup
--
Thanks and regards,
- Dave
11-01-2012 08:42 AM
I run HA-Lite and I utilize the mgmt interface for the ha1 primary control link. No need to utilize a dp port.
high-availability {
group {
1 {
description ha-lite;
peer-ip 172.16.20.254;
configuration-synchronization {
enabled yes;
}
mode {
active-passive;
}
election-option {
device-priority 125;
heartbeat-backup no;
preemptive no;
promotion-hold-time 2000;
hello-interval 8000;
heartbeat-interval 8000;
flap-max 3;
preemption-hold-time 1;
monitor-fail-hold-up-time 0;
additional-master-hold-up-time 500;
}
}
}
enabled yes;
interface {
ha1 {
port management;
encryption {
enabled no;
}
monitor-hold-time 3000;
}
ha1-backup;
}
}
[edit]
admin@oliver(active)#
high-availability {
group {
1 {
description ha-lite;
peer-ip 172.16.20.245;
configuration-synchronization {
enabled yes;
}
mode {
active-passive;
}
election-option {
device-priority 100;
heartbeat-backup no;
preemptive no;
promotion-hold-time 2000;
hello-interval 8000;
heartbeat-interval 8000;
flap-max 3;
preemption-hold-time 1;
monitor-fail-hold-up-time 0;
additional-master-hold-up-time 500;
}
}
}
enabled yes;
interface {
ha1 {
port management;
encryption {
enabled no;
}
monitor-hold-time 3000;
}
ha1-backup;
}
}
[edit]
admin@renato(passive)#
11-01-2012 08:42 AM
I run HA-Lite and I utilize the mgmt interface for the ha1 primary control link. No need to utilize a dp port.
high-availability {
group {
1 {
description ha-lite;
peer-ip 172.16.20.254;
configuration-synchronization {
enabled yes;
}
mode {
active-passive;
}
election-option {
device-priority 125;
heartbeat-backup no;
preemptive no;
promotion-hold-time 2000;
hello-interval 8000;
heartbeat-interval 8000;
flap-max 3;
preemption-hold-time 1;
monitor-fail-hold-up-time 0;
additional-master-hold-up-time 500;
}
}
}
enabled yes;
interface {
ha1 {
port management;
encryption {
enabled no;
}
monitor-hold-time 3000;
}
ha1-backup;
}
}
[edit]
admin@oliver(active)#
high-availability {
group {
1 {
description ha-lite;
peer-ip 172.16.20.245;
configuration-synchronization {
enabled yes;
}
mode {
active-passive;
}
election-option {
device-priority 100;
heartbeat-backup no;
preemptive no;
promotion-hold-time 2000;
hello-interval 8000;
heartbeat-interval 8000;
flap-max 3;
preemption-hold-time 1;
monitor-fail-hold-up-time 0;
additional-master-hold-up-time 500;
}
}
}
enabled yes;
interface {
ha1 {
port management;
encryption {
enabled no;
}
monitor-hold-time 3000;
}
ha1-backup;
}
}
[edit]
admin@renato(passive)#
11-01-2012 01:58 PM
Thanks Renato, that is helpful. I have tried your configuration and it is working.
But are you saying that I can't utilize a dataplane interface for HA1 on the PA-200? Or just that I don't have to? Obviously it's nice to save the physical dataplane interfaces if I can as PA-200 only has 4 of them...But on the other hand, it would also be nice to have an HA1 primary and HA1 backup like I do for full HA configurations...for purposes of HA control link resiliency. Note the comment by "npare" to this document seems to indicate that you can use a dataplane interface for HA1 primary:
But if I can only use the management interface for HA1, what happens when mgt interface of primary goes down....obviously a failover should happen there. But how will upstream/downstream gateways learn the MAC address of the new node?
Thanks for clarifying,
- Dave
11-01-2012 03:17 PM
Hi Dave,
I'd have to set that up utilizing the DP ports. Only reason I'm using the mgmt interface is I lack the available ports do so. Manual failover works like a charm but I suspect a non-manual failover will have no problems either. I just haven't seen it in my setup to date.
In A/P HA, the IPs are assigned to the L3 interfaces. These IPs will be replicated across both HA units. The IPs will carry virtual MACs. In the event of a failover, the passive unit will take over the IPs and issue gratutious ARP when it becomes active.
On the L3 interfaces, the MAC address listed via the 'show interface all' command will have the following format:
virtual MAC is 00-1B-17:00: xx: yy where
00-1B-17: vendor ID (palo alto networks)
00: fixed
xx: HA group ID
yy: interface ID
11-02-2012 06:56 AM
Thanks for the info - I will be having someone at the local site swap the crossover cable on the dataplane interface I configured for HA to see if it's the cable.... and if not working I will just use the mgt interface per your config.
Thanks,
- Dave
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
