This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA pair issue PA-500

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA pair issue PA-500

Go to solution
TranceforLife
L6 Presenter

‎11-02-2016 02:30 PM - edited ‎11-04-2016 02:31 AM

Hi Guys,

 

Interesting one. Devices are in HA pair of the PA-500. Suddenly we are no longer able to access the active device through the

 

GUl, but able to ping mgmt interface and SSH to it. When SSHing getting the screen below:

 

ssh error.PNG

 

A firewall in not producing any command output and doesn't see itself as in HA pair, no (active).

 

The passive device still accessible and seeing this box as active:

 

error.PNG

 

The clients currently connected to the box are not experiencing any system outage, so my guess active is working fine. 

 

Another CLI output from the passive box (uptime is quite cool 713 days):

 

state.PNG

 

Anyone who had this before or any ideas? Thinking about to give a reboot to the box but not sure if the interfaces are in the correct state on the passive box. Why are they all down apart on the HA links?:

 

int-state.PNG

 

 

Thx,

Myky

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
kiwi
Community Team Member
In response to TranceforLife

‎11-04-2016 03:48 AM

Hi @TranceforLife,

 

auto — Causes the link status to reflect physical connectivity, but discards all packets received. This option allows the link state of the interface to stay up until a failover occurs, decreasing the amount of time it takes for the passive device to take over.
This option is supported in Layer 2, Layer 3, and Virtual Wire mode. The auto option is desirable, if it is feasible for your network.

shutdown — Forces the interface link to the down state. This is the default option, which ensures that loops are not created in the network.

 

The CLI command you mention doesn't work because it relies on the management server process to be executed.  

 

Yes, if you still have SSH access to the device, then support can root into your device.  Once rooted into the device they can restart the management server as root.

 

Cheers,

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

View solution in original post

4 REPLIES 4

Go to solution
kiwi
Community Team Member

‎11-04-2016 03:03 AM

Hi,

 

Passive link state is probably configured as 'shutdown'.  This forces the interface link to the down state on your passive device :

 

Passive Link StatePassive Link State 

 

Looks like the management server might have an issue ... as long as your DP has no issues then traffic might pass the device normally.

 

Restarting the mgmt-server usually fixes this issue but obviously you cannot do this currently in the operational mode.  You can of course reboot the device, alternatively you could reach out to support who could root your device and restart the mgmt-server process as root to try and fix it.

 

Cheers,

-Kim.

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Go to solution
TranceforLife
L6 Presenter
In response to kiwi

‎11-04-2016 03:30 AM

Hi Wiki,

 

Thanks for your feed back. Didn't know about passive link states.  But what is the purpose/difference of having "auto" or "shutdown" configured? 

 

https://live.paloaltonetworks.com/t5/Management-Articles/What-is-the-Difference-Between-Auto-and-Shu...

 

That's an issue. I did try to use command:

> debug software restart management-server but nothing is working at the moment.

Do you think support still will be able to access box as root? 

 

Thx,

Myky

0 Likes Likes

Go to solution
kiwi
Community Team Member
In response to TranceforLife

‎11-04-2016 03:48 AM

Hi @TranceforLife,

 

auto — Causes the link status to reflect physical connectivity, but discards all packets received. This option allows the link state of the interface to stay up until a failover occurs, decreasing the amount of time it takes for the passive device to take over.
This option is supported in Layer 2, Layer 3, and Virtual Wire mode. The auto option is desirable, if it is feasible for your network.

shutdown — Forces the interface link to the down state. This is the default option, which ensures that loops are not created in the network.

 

The CLI command you mention doesn't work because it relies on the management server process to be executed.  

 

Yes, if you still have SSH access to the device, then support can root into your device.  Once rooted into the device they can restart the management server as root.

 

Cheers,

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Go to solution
TranceforLife
L6 Presenter
In response to kiwi

‎11-04-2016 04:15 AM

Much appreciated

0 Likes Likes
  • 1 accepted solution
  • 2132 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks