This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA2 link goes down when enabling HA2 keep-alive - PA VM on Azure

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

HA2 link goes down when enabling HA2 keep-alive - PA VM on Azure

AhmedAlRashed
L1 Bithead

‎03-14-2024 04:49 PM

I noticed HA2 link down between the HA A/P peers.

I tried to bounce the link but it didn't help

Disabled session synchronisation and HA2 came up

Re-enabled session synchorisation, HA2 link went down.

Disabled keep-alive on both active and passive firewalls and HA2 link came up

 

This is when HA2 keepalive is enabled.

AhmedAlRashed_0-1710459098374.png

 

This is when HA2 keepalive is disabled.

AhmedAlRashed_1-1710459889184.png

 

 

Has anyone come across this issue before

 

 

VM-Series Azure

 

Thanks,
Ali
VM-Series
Thumbnail of VM-Series
Palo Alto Networks
VM-Series
Cloud-Native Security
View on Product Page
Azure
Thumbnail of Azure
Palo Alto Networks
Azure
Cloud-Native Security
View on Product Page
0 Likes Likes
3 REPLIES 3

BPry
Cyber Elite
Cyber Elite

‎03-16-2024 07:56 PM

@AhmedAlRashed,

I would advise against HA setups in Azure heavily. It's best to deploy two 'active' firewalls as standalone device and use the 'load balancer sandwich' method to facilitate this. PAN HA sitting in Azure has come a long way since it was initially released, but it simply doesn't scale well and still causes long failover times. I'd avoid an HA config in Azure outright. 

 

https://www.paloaltonetworks.com/resources/guides/azure-transit-vnet-deployment-guide

AhmedAlRashed
L1 Bithead
In response to BPry

‎03-17-2024 01:18 AM

@BPry, thanks for your reply! I 100% agree with you but this is just an existing environment that I’ve picked up as I work in a MSSP and this setup was working fine until it broke a couple weeks ago, no changes at all that could’ve caused the issue. I opened a TAC case and waiting on PA team to advise, I have a feeling it’s a bug 🙂

Thanks,
Ali
0 Likes Likes

AhmedAlRashed
L1 Bithead

‎03-19-2024 02:23 PM

So... I upgraded the firewalls from 10.1.11 to 10.2.8 and re-enabled HA2 keep-alive and HA2 link stays up. It turned out to be a bug as expected.

 

@BPry FYI

 

 

Thanks,
Ali
0 Likes Likes
  • 610 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks