- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
05-18-2023 10:23 PM
Hi all.
I created an HA group from device PA410 (the same problem on PA3250) mode active-standby , when i switch active device to passive, the passive device becomes active and i have a problem. there is no access to the firewall for about a minute
the following occurs for Pan OS 10.1.8
I did update pan os to version 10.1.9 h3
I see a slight improvement but still the unavailability time
the configuration of the HA group has not changed, as far as I remember on PAN OS 9.1.x I did not have this problem and now it occurs for devices of the 3250 and 410, 440 series
05-19-2023 05:56 AM
Sounds like underlying network issue where spanning tree takes time to enable ports.
It is possible switch passive firewall ports from shut down to active all the time but before this can be suggested we need to know more about your environment.
Current HA "Passive Link State" configuration.
Any AE interfaces connecting to switch?
If yes then do you have LACP and do you have port channel in switch by firewall or are all ports to both firewalls in single port channel (bad).
05-19-2023 07:56 AM
Bellow my branch diagram, The connection between Palo and the switch is one access link
configuration ha Pasive link state :auto
When I change to make activ devices standby and standby activ device i lost conection from lan to internet.
All port on switch going down and up :
May 19 16:29:30 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to down
May 19 16:29:33 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/8, changed state to up
May 19 16:29:37 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to down
May 19 16:29:41 CEST: %LINK-3-UPDOWN: Interface GigabitEthernet0/10, changed state to up
i'm try use on switch port configuration spanning-tree portfast But this does not bring improvement
05-19-2023 08:36 AM
As next step I suggest to configure packet capture on passive firewall by configuring interface that connects to Cisco switch and include non-ip traffic.
Check how long it takes for traffic to start flowing in after firewall becomes active.
Just a random suggestion that is not related to your issue.
HA1 is related to mgmt plane.
HA2 is related to dataplane.
I would flip those ports around.
HA1 is used to replicate config and send heart beats.
Dedicated mgmt port is connected to mgmt plane but eth1/6 is connected to dataplane so this is not optimal setup.
05-19-2023 09:11 AM
Hi @krzysztof.kubiak ,
I have PA-450s on 10.1.9-h3, and I do not have this problem. Failover is immediate. For this issue, you need to look at the switches.
A minute outage sounds like an STP convergence issue.
Thanks,
Tom
05-19-2023 11:19 AM
--- Are the ports connected to the passive NGFW up on both switches?
Yes all ports up
----What STP state are they in?
default i'm not configure enable only spanning-tree mode rapid-pvst
Perform a failover and watch the ports transition. Also check how fast the MAC addresses switch to the new ports.
--- I can check how I will be directly connected to the switch, the firewalls are in a remote location
Does your HA widget in the Dashboard show all HA links are green?
--- all links are green
05-19-2023 11:24 AM
Hi @krzysztof.kubiak ,
RSTP ports still can be in a blocking state.
You may need to have someone on site to troubleshoot. It is most likely a L2 problem.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!