This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

heartbeat connection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

heartbeat connection

jdprovine
L4 Transporter

‎07-24-2018 09:30 AM

What is the best way to set up a heartbeat connection between and active and passive pair of firewall. We currently have a PA 5050 pair, in different buidling quite a distance away from one another and the heartbeat connection is through the network via ethernet and a switch. We have had it go into a split brain situation when power is lost on one the switches connecting the heartbeat through the network

0 Likes Likes
12 REPLIES 12

BPry
Cyber Elite
Cyber Elite

‎07-24-2018 11:06 AM

@jdprovine,

Any chance you have extra fiber runs between the buildings? 

0 Likes Likes

jdprovine
L4 Transporter
In response to BPry

‎07-24-2018 11:55 AM

@BPry

I was hoping to do it that way and I think we might.  So what were you thinking

0 Likes Likes

Mick_Ball
L7 Applicator

‎07-24-2018 12:04 PM

Not sure if i fully understand but if a switch goes down that one of the devices is connected to then yes you will get SB, but as the connected device is down via the switch then traffic should auto route via the active one...

 

if you are saying that only the HA link has gone down then perhaps you should look at HA backup via management port.

 

 

0 Likes Likes

jdprovine
L4 Transporter
In response to Mick_Ball

‎07-24-2018 12:18 PM

@Mick_Ball

You mean setting up HA backup under device--->HA--->general----)election--->backup. I checked and it already configured. The tough part is that the PA's are in different building and one switch out and I have split brain. It happened a couple times this month, so I was hoping to connect the via fiber and not switches but it appears I would not be able to use the dedicated HA port I would have to use one of my other spf ports and configure it for HA 

BPry
Cyber Elite
Cyber Elite
In response to jdprovine

‎07-24-2018 12:27 PM

@jdprovine,

Yes you would have to use another SFP port. The benefit of this however is if you do a direct connection you don't have to worry about a switch going down and causing any issues; as the device itself would still be able to communicate. You'd just want to configure Link/Path monitoring and ensure that if you ever lost important interfaces HA would actually trigger and failover appropriately. 

jdprovine
L4 Transporter
In response to BPry

‎07-24-2018 12:30 PM

@BPry

That seems alot better than what I have now. I would be curious to know if anyone has already tried what I am considering and how it worked out for them, I can't be the only one that has the primary in a different building than the secondary. Support said the recommended configuration is to connect them using a serial cable.

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to jdprovine

‎07-24-2018 12:33 PM

@jdprovine,

This is the exact configuration that most of my HA clusters are using unless they are physically in a datacenter sitting next to eachother. Works perfectly fine. 

0 Likes Likes

jdprovine
L4 Transporter
In response to BPry

‎07-24-2018 12:41 PM

@BPry

So just configure the new ports as HA, plug in in and it pretty much the same as the one that come already dedicated on the box.  All the configuration is the same through the software? Support made it sound like it was unusual LOL. But I can't keep going into split brain everytime there is a power clitch

0 Likes Likes

BPry
Cyber Elite
Cyber Elite
In response to jdprovine

‎07-24-2018 12:45 PM

@jdprovine,

Once you have the interface configured litteraly everything else is the exact same. The only thing that I would really say changes is that you really do need to configure Link and Path monitoring, although those should already be configured.

jdprovine
L4 Transporter
In response to jdprovine

‎07-24-2018 12:47 PM

@BPry @Mick_Ball

 

So the process would be something like this:

1. Configure a sfp ports one on the primary and one on the secondary that are configured for HA

2. Plug in the fiber, unplug the dedicated HA ports that are preconfigured, from the network

3. The setting already configured for the dedicated preconfigured ports will now apply to the ports you configured for fiber and HA

0 Likes Likes

jdprovine
L4 Transporter
In response to jdprovine

‎07-24-2018 01:28 PM

@BPry @Mick_Ball

 

Are there any gotcha to worry about when doing this, that might interupt operations? Do you need to turn off HA while configuring the new connection? Will it go into split brain if you turn off HA?

0 Likes Likes

jdprovine
L4 Transporter
In response to jdprovine

‎07-25-2018 08:18 AM

Can it still have issues if the switch that is feeding the traffic through the primary firewall goes down, will it see that as a split brain situation and should it

0 Likes Likes
  • 4302 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks