cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HA not working with interface monitoring any

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

HA not working with interface monitoring any

Go to solution
NetworkGeek
L2 Linker

‎03-11-2017 06:28 AM

Hello all,

 

i configured HA between paloalto peers , and HA failover as default without definig specifc interfaces and left it to "any"

 

when interface of inside zone shutdown from switch side , failover will not be trigered ? and need to fix it

0 Likes Likes
2 ACCEPTED SOLUTIONS

Accepted Solutions

Go to solution
TranceforLife
L6 Presenter

‎03-11-2017 07:18 AM - edited ‎03-11-2017 07:47 AM

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

View solution in original post

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to NetworkGeek

‎03-11-2017 10:44 AM

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 

View solution in original post

0 Likes Likes
6 REPLIES 6

Go to solution
TranceforLife
L6 Presenter

‎03-11-2017 07:18 AM - edited ‎03-11-2017 07:47 AM

Hi,

 

Did you create a Link Group and assign interfaces there? Looks to me that failover  conditions were not met:

 

Link Group.PNG

 

Linkk.PNG

 

https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/framemaker/70/pan-os/pan-os/sectio...

0 Likes Likes

Go to solution
NetworkGeek
L2 Linker
In response to TranceforLife

‎03-11-2017 09:00 AM - edited ‎03-11-2017 09:01 AM

Ok working now , but what is meant by failure condition (ANY)  at link monitoring ?

0 Likes Likes

Go to solution
NetworkGeek
L2 Linker
In response to NetworkGeek

‎03-11-2017 09:30 AM

Ok i undersatnd now ..

 

Any means any "Group" and inside each group there is other ANY which means any interface inside group

 

 

But new question , failure of HA links didn`t trigger failover ??

 

 

0 Likes Likes

Go to solution
TranceforLife
L6 Presenter
In response to NetworkGeek

‎03-11-2017 10:44 AM

Heartbeat Polling and Hello messages:
 
The firewalls use hello message and heartbeats to verify that the peer firewall is responsive and operational. Hello messages are sent from one peer to the other at the configured Hello Interval to verify the state of the firewall. The heartbeat is an ICMP ping to the HA peer over the control link, and the peer responds to the ping to establish that the firewalls are connected and responsive. By default, the interval for the heartbeat is 1000 milliseconds. A ping is sent every 1000 milliseconds and if there are three consecutive heartbeat losses, a failovers occurs. For details on the HA timers that trigger a failover, see HA Timers.
 
 
 
As we can see it is one of the conditions, so it will trigger failover (if you do not have a backup link configured). If both HA Control link and backup links fails failover occurs:
 
CL.PNG
 
But l am not sure what will happen if HA Datalink fails. Let see for others replies 
0 Likes Likes

Go to solution
NetworkGeek
L2 Linker
In response to TranceforLife

‎03-11-2017 09:47 PM

Thank You

0 Likes Likes

Go to solution
Mehul_Pathak
L0 Member
In response to NetworkGeek

‎10-09-2020 06:31 PM

In the virtual deployment I do not have access to any upstream device to trigger the link failure scenario - how do I test if the link monitoring configuration is working or not? Can I turn the Firewall interface into 'shut' mode to trigger the failover?

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2022 - Palo Alto Networks