HA1 Backup link went down root cause analysis

cancel
Showing results for 
Search instead for 
Did you mean: 

HA1 Backup link went down root cause analysis

HI Team,

 

I have issue in Palo alto firewall 3260 where HA1 backup link went down. Eventhough there is no production impact i'm seeing this issue happened without any cable change or any activity.

 

This is due to ping failure for heart beat , But I want to know what caused this ping failure issue.

 

I have already running PANOS 8.1.4-h2 which says release notes that HA1 Backup port issue unexpected behaviour was fixed.

 

Below is error message

 

Error Msg
---------
flags    : 0x2 (close:)
err code : Heartbeat ping failure (16)
num tlvs : 1
  Printing out 1 tlvs
  TLV[1]: type 5 (ERR_STRING); len 23; value:
    48656172 74626561 74207069 6e672066 61696c75 726500

 

Regards

Venky

 

28 REPLIES 28

HI @reaperPANgurus,

 

Yes , You are correct commit has been done @ 11:53AM on 29th but this related to address object configuration mapping to address group and then calling in source addres of policy.

 

i'm more curious how this affect HA port configured somewhere in my firewall. 

 

Regards

Venky 

HI @reaperPANgurus

 

Awaiting for your reply.

HI @reaperPANgurus

 

I have seen one more interesting thing, The HA-B port was dropping packets. which happened in primary firewall.

 

So my issue is in active firewall which dropped the packets so HA1-B went down.  SInce I have the tech support file generated after clearing the issue. I'm not able to see the memory during time of issue. 

 

Interface: ha1-b

-------------------------------------------------------------------------------
Logical interface counters:
-------------------------------------------------------------------------------
bytes received 207647488
bytes transmitted 214917298
packets received 4254056
packets transmitted 4261401
receive errors 0
transmit errors 0
receive packets dropped 10769
transmit packets dropped 0
multicast packets received 0
-----------------------------------------

 

 

Don't focus too much on these numbers until you can directly correlate them to the actual event. some packets may get dropped naturally, or they could have been from a previous issue (possibly during initial config)

 

since the connection was impacted during the commit you'll need to look at both techsupport files side by side starting secondas before the commit starts, see if there are unusual; spikes in MP or DP cpu, those drop counters should be correlated for their delta during the commit (does the number increase gradually over time, or does it spike during the commit)

 

the content of the commit may not necessarily be related to the interface itself, it's possible something during the commit chokes the interfaces for some reason

 

do you have as support case open already? If not,m this may be a good time to do so

Tom Piens
PANgurus

HI @reaperPANgurus

 

I have case opened with TAC and they are researching on root casuse. I will keep you posted once I get update.

 

Thank you so much for all your analysis for betterment in investigation.

 

Regards

Venky

L3 Networker

Any updates on this case? I've got the same issue on PA-3220 with PAN-OS 8.1.8.

I see the symptom precisely like you that 'receive packets dropped' increased on Active firewall. I'm going to open a case with TAC.

 

 

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

Hi

this is a known bug gonna fixed in 8.1.9 or 9.0 version . You can wait for 8.1.9 or can upgrade to 9.0

Thanks for your reply!

Do you have the bug/issue ID? Or is this non-public one?

 

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.

L3 Networker

FYI - 

Here is a workaround for someone who wants to bring up the HA1 Backup before upgrading the PAN-OS.

 

Step 1. Change the Port type from ha1-b to management on Active firewall and Commit (Device -> High Availability -> General > Control link (HA1 Backup)
Step 2. Revert back to the previous configuration with the Port type: ha1-b, along with the IP address and Commit.

 

This workaround should bring up the HA1 Backup.

Hope this helps!

 

--
"The Simplicity is the ultimate sophistication." - Leonardo da Vinci.
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!