Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA not working with interface monitoring any

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA not working with interface monitoring any

L2 Linker

Hello all,

 

i configured HA between paloalto peers , and HA failover as default without definig specifc interfaces and left it to "any"

 

when interface of inside zone shutdown from switch side , failover will not be trigered ? and need to fix it

2 accepted solutions

Accepted Solutions

L6 Presenter

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

View solution in original post

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 

View solution in original post

6 REPLIES 6

L6 Presenter

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

Ok working now , but what is meant by failure condition (ANY)  at link monitoring ?

Ok i undersatnd now ..

 

Any means any "Group" and inside each group there is other ANY which means any interface inside group

 

 

But new question , failure of HA links didn`t trigger failover ??

 

 

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 

Thank You

In the virtual deployment I do not have access to any upstream device to trigger the link failure scenario - how do I test if the link monitoring configuration is working or not? Can I turn the Firewall interface into 'shut' mode to trigger the failover?

  • 2 accepted solutions
  • 3760 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!