HA2 problems

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA2 problems

Not applicable

Hello together,

We have a A/A cluster with PA-5050 boxes running PAN-OS 4.1.5

At the moment one node is suspended due to another problem. We had the problem that we lost the HA2 connectivity (main/backup) between the cluster nodes and traffic through the active box where stopped.

From my point of view this should not happen as this link is for synchoronisation of state, session, routing,etc... But as only one box is active at the moment, so need for the sync?!? After reestablishing a connection for HA2 traffic was passing the firewall.

Any clue?

Thx

Michael

7 REPLIES 7

L6 Presenter

Sessionsync is so when failover occurs the already setup sessions can continue - otherwise they would be just dropped (or if lucky get fin/ack or rst depending on what kind of session it is).

As a workaround I think you can setup one of the dataplane interfaces to be used for HA.

L6 Presenter

Hi...Did all traffic or just some of the traffic stop?  It is most likely where one PA setups the session and can't sync the session to its peer.  As return traffic arrives at the peer, the traffic may be out of state and the peer drops the packets.

As suggested by mikand, you should configure backup for HA2 as well as HA1 and HA3 if possible.  For HA3 you can use AE (LAG) if our PA models support it.

Thanks.

Hi,

thanks for the fast replies.

Maybe I was not clear enough. We have a HA2 main and backup. Due to another problem the main was not working and we lost the backup.

In the moment we lost the backup one of the firewalls were suspended, so we were running on one node. At this time we lost as well the HA2 backup and traffic seems not to be passing anymore.

Unfortunatly I wasn't onsite during this time. I just get it reported like this. So it hard to figure out what realy happens and as it's a production enviroment I'm not able to reproduce this issue.

The only thing which I'm sure that during the time traffic wasn't passing both HA2 link weren't present.

Now, I just want to know if it's possible that the root cause of the stopped traffic can be that no HA2 link was present. Even when we were running on a single node at this time. So no need for the session sync.

Thanks

Michael

I recommend that we review the system log around the time of the failure and check the HA events to figure the sequence of failures.  HA2 failure may impact new sessions/traffic as the session state cannot be sync'ed but it should not impact existing sessions.  You can have 1 node running while the other is down and HA2 can be disconnected.

Also, how did the other node went into suspend state?  Maybe the failure included more than just HA2?

Hi,

the other node is suspended manually. There is an issue which impacted our service in the A/A deployment, we had to suspend on box.This is allready addressed and under investigations by PA.

I thougth as well that it should not impact any traffic when running on a single node without HA2.

I can try to gather logs around the time the problem occured

I'll check if I can test this during a night

Michael

As far as the links.. HA1 and HA2.. how are they connected?

Are we talking about a Straight thru cable, Cross over cable or connected through a switch.

If you say Straight thru cable, it is not recommeneded. In fact it is not supported.

It is recommended that if you have to use a cable, that it is a Cross over cable.. or connect through a switch.

Lets see if that helps or not.

LIVEcommunity team member
Stay Secure,
Joe
Don't forget to Like items if a post is helpful to you!

Hi,

sorry for the huge delay 🙂

It's connected through a switch. In the meanwhile it's identified as a bug.

Michael

  • 4837 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!