This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA session sync too slow?

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA session sync too slow?

dmgeurts
L1 Bithead

‎05-12-2025 06:46 AM - edited ‎05-12-2025 06:48 AM

I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.

However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?

 

Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets.

0 Likes Likes
3 REPLIES 3

Brandon_Wertz
L6 Presenter

‎05-13-2025 06:34 AM

@dmgeurts wrote:

I've recently migrated to a pair of active/active HA firewalls and am seeing some DNS return traffic dropped. Checking the logs, I can see that traffic is returned via another firewall as the DNS request was received. No problem, as normally the HA session sync is fast enough for the other firewall to have the session.

However, the DNS servers reply so quickly that the session state hasn't synced yet and the return traffic is dropped. Has anyone seen this, and any suggestions other than delaying DNS replies on the servers?

 

Forgot to mention that the pair of firewalls are PA-3410 with direct HCSI link in adjacent racks. So, latency should be as small as it gets.

That really doesn't make much sense.  2 networked (routed) endpoints shouldn't be talking faster than firewalls directly connected to each other.  I've never ran a A/A deployment so unfortunately I don't have much insight to share.  I'm assuming you have the HA1, HA2, and HA3 interfaces defined?  The HA3 link as I understand it is required for an A/A deployment.  

 

Are your management and data CPUs all running at normal percentages? 

0 Likes Likes

dmgeurts
L1 Bithead

‎05-13-2025 07:03 AM

Yes, all HA1/2/3 and their backups are connected. CPU on data and management planes is low. The DNS server caches entries and it's a very small percentage of traffic affected.

Agree with you completely. I did not expect this, so apart from CPU load anything I should be checking?

PanOS version is 11.1.6h something (off the top of my head)

0 Likes Likes

Brandon_Wertz
L6 Presenter
In response to dmgeurts

‎05-13-2025 08:08 AM

Unfortunately I don't have any other ideas, other than opening a support case getting TAC to take a look.

0 Likes Likes
  • 525 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks