Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA1 down , suggestion welcome!

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

HA1 down , suggestion welcome!

L1 Bithead

Hello everyone, I am newbies for PA-850

 

As we placed them into two difference Geo location (e.g DC1 and DC2) and we running A/A, cisco Nexus as core

we have separated all
HA1 / mgmt / HA2 / HA2 backup
in to DIFFERENCE SUBNET and broadcast domain, and we using mgmt as HA1 backup

HA3 configured as FLAT vlan across both sites with no choice

 

and the problem is we found HA1 is down, we tired

ASSUMED my SUBNET for HA1 configuration issue ---- I do have a good ping from DC1 and DC2 gateway IP

ASSUMED my SUBNET for HA1 configuration issue ---- shared the same Subnet we created with HA2  - NOT WORK
ASSUMED my HA1 interface goes wrong --- we tested we can ping from the GATEWAY IP address - but able to ping form other not others interfaces in the same router 

ASSUMED the HA1 and HA1 peer configuration -- I have already swap mgmt as HA Peer and Dedicated HA1 for BACK UP Peer - NOT WORK
ASSUMED my current set of Paloalto goes wrong --- I have open another pair of PA820 - configured and found the same problem - NOT WORK

ASSUMED the HA1 running something very special ethernet packet the WAN link do not like it, ---- I have setup both HA1 in SAME SUBNET (same broad cast domain) between both sites, --- IT WORKS but this is not ideal , since we do not want to have much FLAT vlan across 2 locations

ASSUMED HA1 cannot running on a layer 3 domain --- HOWEVER, the same H/W S/W topology deployed in other office , and only difference is the core is Catalyst but not nexus (of course the WAN link provider are difference)

also for our WAN link providers claimed they are using DWDM and no any MAC blocking in between

 

We have ticketed to Palo for 2 mths but no any actual test we have, 

 

any expert in this room can help to enlighten me what I can move on next?

HELLO WORLD
1 accepted solution

Accepted Solutions

L1 Bithead

Hello guys,

I will mark this one as solution although this is not perfect and official answer paloalto...

 

I have tried to make use one of the FREE COPPER DATA PLANE port as HA, and setup the HA1 on that (instead of using dedicated HA1) 

and by reusing all the SAME CABLE / NETWORK PORT / VLAN / SUBNET / ROUTING INSTANCE

and the HA1 magically UP, 

I cannot concluded this is s/w (since I have another same S/W 10.0.6 and with same model PA-850) running layer 3 over the dedicated HA1 and no issue,

 

The only thing I can blame may be the on board H/W bug vs network card driver?  looking forward of paloalto will be address this issue in upcoming software version

HELLO WORLD

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

So, I may not be much help,  because we would not recommend to separate the 2 FWs into 2 DCs.  I understand why you did it, but it is the interconnecting devices and NOT the firewall that is the issue. You confirmed it, when you put both HA1 into the same network (this is exactly how it supposed to be configured.. 2 IPs with a /30 mask, no default gateway.   

Respectfully, there isn't a configuration on the FW that will the way these 2 FWs need to talk.  You may need to consider your design again.

Help the community: Like helpful comments and mark solutions

Cyber Elite
Cyber Elite

@vitol-pkf,

As @S.Cantwell mentioned you aren't really running a recommended configuration. PAN doesn't recommend that you run HA interfaces through routed connections, and if your set on locating these in different DCs I'd really recommend you simply setup dedicated VLANs and pass it through directly instead of attempting to route the connection. There's too many variables in attempting to route these connections for us, or TAC, to really be much help with this. 

thank Steve

not recommended and not work is 2 difference level of consideration , in the real world there has a factor call budget 🙂 , can you showing me if any black and white that HA1 cannot be route, if we need to have a layer 2 across 2 sites, that's 12 switches need to create additional vlan.

HELLO WORLD

I think the problem is we do not want to setup layer 2 everywhere as a networker , we do not want a huge broadcast domain if we can avoid, 

so I just want to know if this is CAN or CANNOT. 

I see that CANNOT - so is that CANNOT work as plan or just a bug no one aware..

HELLO WORLD

@vitol-pkf   I am on your side.  It yes... the product WILL work across a routed network, however it is not recommended.  😛

 

We in the community, are providing multi years worth of combined experience and guidance; collectively, there is a large amount knowledge on the PANW FW. 

 

The issue does not appear to originate from the PANW FWs, but the interconnection or networking that is creating the issue.

As I mentioned.. when all traffic was in the same network, it work fine, so our packets were transmitted/received appropriately.

When there are other devices inline, then the change in the network is just that... changes on network hardware, outside of the scope.

 

You asked for suggestions and we have provided them to you. 

You are more than welcome to contact the TAC via web ticket for official assistance.

 

Thank you for contacting the Live Community.  We truly wish that you are able to resolve this, and please let us know what you find, so that we can better community support the PANW line of solutions.

Help the community: Like helpful comments and mark solutions

Thank you, and after brain storm
We may schedule a work to insert 1 x COPPER SFP as a HA port for the configure HA instead of using the build-in HA , stay tuned next,
HELLO WORLD

L1 Bithead

Hello guys,

I will mark this one as solution although this is not perfect and official answer paloalto...

 

I have tried to make use one of the FREE COPPER DATA PLANE port as HA, and setup the HA1 on that (instead of using dedicated HA1) 

and by reusing all the SAME CABLE / NETWORK PORT / VLAN / SUBNET / ROUTING INSTANCE

and the HA1 magically UP, 

I cannot concluded this is s/w (since I have another same S/W 10.0.6 and with same model PA-850) running layer 3 over the dedicated HA1 and no issue,

 

The only thing I can blame may be the on board H/W bug vs network card driver?  looking forward of paloalto will be address this issue in upcoming software version

HELLO WORLD

Hi,

PAN doesn't recommend that you run HA interfaces through routed connections ?

Then why do they offer the "Default Gateway" setting?

 

By definition, that means a routed network, and so this thread is containing some very unhelpful answers to the OP.

 

 

 

 

  • 1 accepted solution
  • 6179 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!