This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

How HA active/passive 2000 series works

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How HA active/passive 2000 series works

Go to solution
Thiago
L3 Networker

‎03-23-2012 12:40 PM

Hi Guys ,


I have a dubt about HA Active/passive

How it`s works ? i need to  have  a float IP ?

OR my 2 appliances need to have the same configuration ?

I see some docs , but i don`t understand how HA works.

So if somebody can help me Smiley Happy I`m using 4.1.3 PAN-OS.


Best Regards.


Thiago Lima.

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
jseals
L5 Sessionator

‎03-23-2012 12:54 PM

Hello,

Active Passive won't be using a floating IP. The devices share their configs and that includes interface IP addresses. The passive member always takes down all of it's interfaces as to not cause issues with duplicate IPs on the network.

Typically, just configure the active device as you'd like, configure the HA settings for both members and enable config sync. Once you commit they should be paired just fine.

If you'd like more information on how to configure the HA portion, let us know.

Thanks,

Jason Seals

View solution in original post

0 Likes Likes
12 REPLIES 12

Go to solution
jseals
L5 Sessionator

‎03-23-2012 12:54 PM

Hello,

Active Passive won't be using a floating IP. The devices share their configs and that includes interface IP addresses. The passive member always takes down all of it's interfaces as to not cause issues with duplicate IPs on the network.

Typically, just configure the active device as you'd like, configure the HA settings for both members and enable config sync. Once you commit they should be paired just fine.

If you'd like more information on how to configure the HA portion, let us know.

Thanks,

Jason Seals

0 Likes Likes

Go to solution
Thiago
L3 Networker
In response to jseals

‎03-23-2012 01:15 PM

Hello Jason ,

So about Mac adresses , the devices shares yours mac address or not ?

Best Regards.

Thiago Lima.

0 Likes Likes

Go to solution
jseals
L5 Sessionator
In response to Thiago

‎03-23-2012 02:35 PM

Hi,

In Active / Passive HA, the members use the same virtual MACs on the dataplane interfaces which are derived from the HA group ID setting in the HA configuration.

Note that the MAC addresses of the HA1 interfaces, which are on the control plane and synchronize the configuration of the devices, are unique. The MAC addresses of the HA2 interfaces, which are on the data plane and synchronize the active sessions, mirror each other.

Thanks,

Jason Seals

Go to solution
Thiago
L3 Networker
In response to jseals

‎03-24-2012 10:23 AM

So ,

When i`m configuring HA Active/Passive , i need to set the same group ID to my 2 devices right ?

Best Regards.


Thiago Lima.

0 Likes Likes

Go to solution
jseals
L5 Sessionator
In response to Thiago

‎03-24-2012 11:24 AM

Yes,

The same group ID for both devices. This is important.

Also, if you ever have more than one HA pair on the same network be sure that each pair has their own group ID.

If two HA pairs are on the network, and all 4 members have the same group ID, this will for sure cause issues due to the mac address assignment.

Thanks,

Jason Seals

Go to solution
mikand
L6 Presenter
In response to jseals

‎03-24-2012 11:57 AM

Speaking of which... is it possible to have active / passive / passive / passive setup (regarding your example of 4 boxes with the same groupid) ?

I cant figure out of any good example for one would like to have such setup but still :smileysilly:

0 Likes Likes

Go to solution
jseals
L5 Sessionator
In response to mikand

‎03-24-2012 12:34 PM

Hi Mikand,

I can't think of a reason you'd want to do that either, and I don't believe this would be possible.

When configuring the HA links in L3, there is only an option for 1 peer IP address. Therefore, the standard 1 active machine and 1 passive machine seems to be it.

Thanks,

Jason Seals

0 Likes Likes

Go to solution
Thiago
L3 Networker
In response to mikand

‎03-24-2012 08:11 PM

Mikand ,

I think it`s impossible to configure HA with 4 devices.

First of all , you can configure just 1 peer device.

And second on 2000 PAN serie ,  you can configure just 2 HA port per each device.

First port manage plane to syncronize confs , etc.

Second port to do stateful.

Best Regards.

Thiago Lima.

0 Likes Likes

Go to solution
Thiago
L3 Networker

‎03-26-2012 06:05 PM

Hi Guys ,

I`m configuring HA , but when i shutdown my first device , i did one test using ping , and i lost 3 packest with 64 TTL

It`s normally , or it`s possible to configure something to make this more fast ?


Best Regards.


Thiago lima.

0 Likes Likes

Go to solution
jseals
L5 Sessionator
In response to Thiago

‎03-26-2012 06:17 PM

Hello,

That's about normal. Also, I've seen that sometimes the pings actually do reply, but due to the failover it takes longer than normal to respond, so the ping application considers it a timeout.

You could verify this with pcaps taken on the firewalls. This may be your case, or it may just be taking that long to transfer the sessions over.

Regardless, what you're seeing is normal.

Thanks,

Jason Seals

0 Likes Likes

Go to solution
christopher_d_groshong
Not applicable
In response to jseals

‎05-07-2012 09:11 PM

Jason,

Thanks for comments,  if those two paragraphs were in the admin guide it would have saved me about 2 hours today Smiley Wink

0 Likes Likes

Go to solution
ncampagna
Palo Alto Networks Guru
In response to christopher_d_groshong

‎05-08-2012 12:43 PM

Christopher,

Which piece of information did Jason provide that you would like to see in the admin guide?  I'd like to see about adding that into the guide.

Thanks,

Nick Campagna

Product Management

0 Likes Likes
  • 1 accepted solution
  • 5379 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks