Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA sync time

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA sync time

L4 Transporter

I have 400 rules and it takes my PA 5050 HA pair 4 minutes to sync, that seesm long to me anyone else know their sync times or what should be a reasonable time?

8 REPLIES 8

Cyber Elite
Cyber Elite

@jdprovine,

On one of my PA-5020 pairs I regularly saw 3-5 minute sync times with 600+ policies applied to that pair, however I also had a large amount of validation errors due to how the policies were built out. I wouldn't consider what you are seeing an unreasonable time period. 

If you don't have any validation errors, or a very small amount, then I would say that's maybe slightly longer then I would expect; however this would really depend on your configuration on how much processing the firewall needs to do in the validation stage, which from my experiance is the longest part of the sync/commit process. 

@BPry

So where do i check to see if I have validation errors? In the past before I upgraded to 7.1.19 the sync also would fail at times, so they recommended I upgrade from 7.1.16 which appears to have had a HA sync issue. But now that I have upgraded I want to verify that the issue I had has been resolved.

@jdprovine,

So validation happens in two different places. 

1) Validate

  • You can choose to validate the configuration at any time in the GUI, CLI, or API. Once the validate has finished it'll display a group of warnings if anything in the validation process triggered. 

2) Commit

  • Whenever a comit is ran, the firewall will first validate the canidate-config.xml to verify that it's a valid configuration. 

Whenever the validation process runs into issues, I've generally noticed that it takes a slightly longer time for everything to actually complete, and therefore when HA members sync the configuration this process can take slightly longer as well. 

@BPry

Not running into any commit issues, just the sync after the commit finishes. So if there are issues with the commit why would it let the commit finish? I know it gives me some suggestions at the end of the commit sometimes when things are not 100% done the best way.  Could it be the physical connection affecting the sync and is there a good way to test that and rule it out. TAC has no more suggestion for me other that the upgrade I did was supposed to fix it and to create a bunch of fake rules and see if I can get it to fail to sync

@jdprovine,

The only time the firewall won't let you commit the configuration would be if one of the changes invalidated the configuration, meaning that the firewall is simply incapable of functioning with the proposed changes. You can make some really funky changes and it'll only give you validation warnings, but since the configuration is still technically valid it would commit those changes. 

 

It's possible that you could be running into retransmission errors on the physical connection. The only real way to test this however would be to use the same link and monitor for drops/retransmissions and such; depending on the setup you may be able to do this without having to disconnect the HA members. 

 

Really though a 4 minute sync time on a 5000 series really doesn't seem that out of the norm to me. How long does it take your primary unit to actually complete the commit process? 

@BPry

The commit took about 45 seconds, when I had the 4 minutes sync time

@jdprovine,

That seems a little odd. Are the two units directly connected or going through some type of switch? 

@BPry

 

they go through a switch and live in different building I have tossed around the idea of connecting them via fiber connection. I put in a ticket to make sure the issue wasn't anything else and TAC suggested there was a bug in 7.1.16 that would cause this issue so I upgraded to 7.1.19 thinking maybe it would resolve the issues. Sometime the HA sync but not alot,but the more commits you do in a row and don't wait till the sync finishes that longer it takes and then fails

  • 4176 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!