HA1 Backup link went down root cause analysis

Venkatesan_radhakrishnan · ‎02-03-2019

HI Team,

I have issue in Palo alto firewall 3260 where HA1 backup link went down. Eventhough there is no production impact i'm seeing this issue happened without any cable change or any activity.

This is due to ping failure for heart beat , But I want to know what caused this ping failure issue.

I have already running PANOS 8.1.4-h2 which says release notes that HA1 Backup port issue unexpected behaviour was fixed.

Below is error message

Error Msg
---------
flags : 0x2 (close:)
err code : Heartbeat ping failure (16)
num tlvs : 1
Printing out 1 tlvs
TLV[1]: type 5 (ERR_STRING); len 23; value:
48656172 74626561 74207069 6e672066 61696c75 726500

Regards

Venky

Venkatesan_radhakrishnan · ‎02-04-2019

@reaper @BPry,

Can you guys look into below error and let me know root cause.

reaper · ‎02-04-2019

hi @Venkatesan_radhakrishnan

How is the HA1-backup connected (over a switch, directly,..? dedicated interface, mgmt, ...?), how were the link speed and duplex set on all connecting nodes, what type of cable was used, have you tried using a different cable/port,...?

the ha1-b issue solved in 8.1.4-h2 is a permanently down link, not one where there are ping timeouts, you are most likely experiencing something different

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Venkatesan_radhakrishnan · ‎02-04-2019

Ya I'm experiencing something different, It is directly connected through cables via HA1 B port on both sides.

Link went down then I have clicked the HA1 Backup port settings selected the same interface it came up and no flap or down till date.

Firewall is already running 8.1.4-h2 version.

Venkatesan_radhakrishnan · ‎02-04-2019

@reaper I haven't tried using different cable it staright through. Once I select the same interface which was already in use and commit the configuration it started to work again.

I'm not seeing any abnormalities in the firewall related to that HA port.

Can I able to change the link state and speed for dedicated HA ports? If so how ?

Venkatesan_radhakrishnan · ‎02-04-2019

Hi Guys,

Can anyone reply on this issue

Venkatesan_radhakrishnan · ‎02-04-2019

Spoiler

Hi Guys,

Can anyone reply on this issue

reaper · ‎02-05-2019

you cant change the settings of the dedicated ports

if theyreconnected directly, all is left is to try replacing the cable I think. If that fails too, you'll need to reach out to support to help investigate this issue

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Venkatesan_radhakrishnan · ‎02-05-2019

I think it is not cable issue, because last event occured on Jan 29 and it is stable till date.

I'm not seeing any issue after that event. But Customer is affraid it may come in future.

reaper · ‎02-05-2019

Did you collect a TechSupportFile at the time of the event ?

you could still have that reviewed by support to make sure

if not, you'll have to wait it out and collect one as soon as something does happen and then get in touch with support asap

Tom Piens
Like my answer? check out my book! https://bit.ly/MasteringPAN

Network Security

Cloud Security

Security Operations

HA1 Backup link went down root cause analysis

HA1 Backup link went down root cause analysis

Show your appreciation!