cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HA not working with interface monitoring any

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
NetworkGeek
L2 Linker
‎03-11-2017 06:28 AM
‎03-11-2017 06:28 AM

HA not working with interface monitoring any

Hello all,

 

i configured HA between paloalto peers , and HA failover as default without definig specifc interfaces and left it to "any"

 

when interface of inside zone shutdown from switch side , failover will not be trigered ? and need to fix it

0 Likes
Reply

Accepted Solutions
TranceforLife
L6 Presenter
‎03-11-2017 07:18 AM
‎03-11-2017 07:18 AM

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

View solution in original post

0 Likes
Reply
TranceforLife
L6 Presenter
‎03-11-2017 10:44 AM
‎03-11-2017 10:44 AM

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 

View solution in original post

0 Likes
Reply

All Replies
TranceforLife
L6 Presenter
‎03-11-2017 07:18 AM
‎03-11-2017 07:18 AM

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

View solution in original post

0 Likes
Reply
NetworkGeek
L2 Linker
‎03-11-2017 09:00 AM
‎03-11-2017 09:00 AM

Ok working now , but what is meant by failure condition (ANY)  at link monitoring ?

0 Likes
Reply
NetworkGeek
L2 Linker
‎03-11-2017 09:30 AM
‎03-11-2017 09:30 AM

Ok i undersatnd now ..

 

Any means any "Group" and inside each group there is other ANY which means any interface inside group

 

 

But new question , failure of HA links didn`t trigger failover ??

 

 

0 Likes
Reply
TranceforLife
L6 Presenter
‎03-11-2017 10:44 AM
‎03-11-2017 10:44 AM

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 

View solution in original post

0 Likes
Reply
NetworkGeek
L2 Linker
‎03-11-2017 09:47 PM
‎03-11-2017 09:47 PM

Thank You

0 Likes
Reply
Mehul_Pathak
L0 Member
‎10-09-2020 06:31 PM
‎10-09-2020 06:31 PM

In the virtual deployment I do not have access to any upstream device to trigger the link failure scenario - how do I test if the link monitoring configuration is working or not? Can I turn the Firewall interface into 'shut' mode to trigger the failover?

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks