This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA problem Pa 410, Pa 3250

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA problem Pa 410, Pa 3250

krzysztof.kubiak
L1 Bithead

‎05-18-2023 10:23 PM

Hi all.

 

I created an HA group from device PA410 (the same problem on PA3250) mode active-standby , when i switch active device to passive, the passive device becomes active and i have a problem. there is no access to the firewall for about a minute

 

the following occurs for Pan OS 10.1.8 

PAN OS 10.1.8.PNG

 

I did update pan os to version 10.1.9 h3 

I see a slight improvement but still the unavailability time 

 

PAN OS 10.1.9 h3.PNG

the configuration of the HA group has not changed, as far as I remember on PAN OS 9.1.x I did not have this problem and now it occurs for devices of the 3250 and 410, 440 series

 

 

0 Likes Likes
6 REPLIES 6

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-19-2023 05:56 AM

Sounds like underlying network issue where spanning tree takes time to enable ports.

It is possible switch passive firewall ports from shut down to active all the time but before this can be suggested we need to know more about your environment.

Current HA "Passive Link State" configuration.

Any AE interfaces connecting to switch?

If yes then do you have LACP and do you have port channel in switch by firewall or are all ports to both firewalls in single port channel (bad).

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

krzysztof.kubiak
L1 Bithead

‎05-19-2023 07:56 AM

Bellow my branch diagram, The connection between Palo and the switch is one access link

 

configuration ha Pasive link state :auto

 

network fiagram.png

 

When I change to make activ devices standby and standby activ device i lost conection from lan to internet.

 

All port on switch going down and up :

May 19 16:29:30 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to down
May 19 16:29:33 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to up

May 19 16:29:37 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to down
May 19 16:29:41 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to up

 

i'm try use on switch port configuration spanning-tree portfast But this does not bring improvement

 

0 Likes Likes

Raido_Rattameister
Cyber Elite
Cyber Elite

‎05-19-2023 08:36 AM

As next step I suggest to configure packet capture on passive firewall by configuring interface that connects to Cisco switch and include non-ip traffic.

Check how long it takes for traffic to start flowing in after firewall becomes active.

 

Raido_Rattameister_0-1684510322555.png

 

 

Just a random suggestion that is not related to your issue.

HA1 is related to mgmt plane.

HA2 is related to dataplane.

 

I would flip those ports around.

HA1 is used to replicate config and send heart beats.

Dedicated mgmt port is connected to mgmt plane but eth1/6 is connected to dataplane so this is not optimal setup.

Raido_Rattameister_1-1684510404988.png

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-19-2023 09:11 AM

Hi @krzysztof.kubiak ,

 

I have PA-450s on 10.1.9-h3, and I do not have this problem.  Failover is immediate.  For this issue, you need to look at the switches.

 

  1. Are the ports connected to the passive NGFW up on both switches?
  2. What STP state are they in?
  3. Perform a failover and watch the ports transition.  Also check how fast the MAC addresses switch to the new ports.
  4. Does your HA widget in the Dashboard show all HA links are green?

A minute outage sounds like an STP convergence issue.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes

krzysztof.kubiak
L1 Bithead

‎05-19-2023 11:19 AM

--- Are the ports connected to the passive NGFW up on both switches?
Yes all ports up

----What STP state are they in?
default i'm not configure enable only spanning-tree mode rapid-pvst

Perform a failover and watch the ports transition.  Also check how fast the MAC addresses switch to the new ports.
--- I can check how I will be directly connected to the switch, the firewalls are in a remote location

Does your HA widget in the Dashboard show all HA links are green?
--- all links are green

0 Likes Likes

TomYoung
Cyber Elite
Cyber Elite

‎05-19-2023 11:24 AM

Hi @krzysztof.kubiak ,

 

RSTP ports still can be in a blocking state.

 

You may need to have someone on site to troubleshoot.  It is most likely a L2 problem.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
0 Likes Likes
  • 1294 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks