High Availability Bandwidth / Latency Requirements

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

High Availability Bandwidth / Latency Requirements

L0 Member

Hi

 

We are about to introduce a dual site DC setip with a single Internet IP address space available across both of them.  We have a Multiple VLAN 100 Mbps fibre link between the sites and would like to split the PA-3020 pair we have running active/passive HA so there is one on each site.  Latency between the sites is about 5 ms.

 

Questions -

 

What are the latency and bandwidth requirements for HA ?  I cannot find anything detailing any specific requirements, guidelines or way of estimating likely bandwidth to be used

 

is this type of setup supported ? 

 

Thanks

 

Euan

2 accepted solutions

Accepted Solutions

@euanbarker   Since you plan to have 100 Mbps links for HA1 and HA2, it should be more than sufficient. Had it been the HA3 link (if the setup was an A/A HA) the case would have required more pondering !

View solution in original post

100mbps is good no issue with that. You have to focus on the timers to avoid unnecessary failovers. In Active-Active HA3 need more bandwidth.

View solution in original post

5 REPLIES 5

L5 Sessionator

Are you saying that one of the firewall will be on one site and another will be on another site?

 

You have to take care of the routing such that if one of the firewall fails then the traffic should pass through the other unit.

 

For stability of HA you can increase the HA timers. Value depends on distance between the unit, cables. You can check the latency and accordingly set the values.

 

Device>High Availability>General>Election setting> Select the advance option.

 

The default values are:

Hello interval - 8000ms.
Heartbeat interval - 1000ms
Preemption hold time - 1min
Monitor Fail Hold Up Time - 0ms

 

Hope this helps.

L4 Transporter

@euanbarker 

 

Do you mean the bandwidth requirement for the communication between the HA1 and HA2 links of the HA ?

If yes, I dont readily see any document stating this information (it is tricky for the vendor to publish any specfic values).

The following DOC explains what is synchronized via which link (HA1/HA2). You will find that this is very less bandwidth intensive info (more than bandwidth, stablility and availability is important here)

 

https://live.paloaltonetworks.com/twzvq79624/attachments/twzvq79624/documentation_tkb/568/1/HA_Synch...

 

Also, since this is not a Active/Active setup, there is not transfer of actual traffic between the nodes (via HA3) which might have required high bandwidth (or aggregated )HA3 link.

 

 

 

Thanks for the quick replies. 

 

I do mean the firewalls will be split with one at each site.  We would run HA1 and 2 across vlan's using the 100 Mbps fibre link between sites which is a vlan trunk.  I've read and reviewed the options for adjusting the timers to ensure stability and we have plans in place to ensure failover options mirror availability from outside the PA's through and to inside them so we don't get split brain situations at any point.  The only bit that is unknown is what bandwidth the HA traffic will need.  I know this is build and traffic dependant but some guidance would be useful.

 

We are going to measure stats on the HA1 and HA2 interfaces we have on the PA-3020 cluster while it's in the same location so we can have a benchmark to work from.

 

Thanks

 

Euan

@euanbarker   Since you plan to have 100 Mbps links for HA1 and HA2, it should be more than sufficient. Had it been the HA3 link (if the setup was an A/A HA) the case would have required more pondering !

100mbps is good no issue with that. You have to focus on the timers to avoid unnecessary failovers. In Active-Active HA3 need more bandwidth.

  • 2 accepted solutions
  • 6185 Views
  • 5 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!