How to handle if control link/data link failure in HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

How to handle if control link/data link failure in HA

Not applicable

Hi All,

I would like to know if our environment using 2 x PAN and formed HA. The control link and data link connected to switches as our office over 3 floors in the same building. If the switch failure, how did the PAN response? Will they are not able to fail over?

Thanks!

J

3 REPLIES 3

L4 Transporter

Hi JohnnyW,

If both HA1 AND HA2 links fail, both devices will detect that the other device has failed and they will both go Active.  This is typically not a desirable behavior because you may have issues with IP conflict, routing, etc.

A couple of ways to minimize this risk:

(1) Use cables and not switches... Chance of cable failure is much smaller.

(2) Connect HA1 to switches that have some redundancy capabilities.  HA1 is responsible for the management side of things and also heartbeat connectivity.

(3) Maybe there's a way to leverage link or path monitoring in your HA environment.  Link and path monitoring will essentially monitor links on your firewall or paths (IP addresses outside the firewall) and if these links fail, then the firewall will put himself in a non-active state.

Just some thoughts!

Hi Spolo,

Thanks for your information. BTW, anyone like our environment that will cross flat or building for HA purpose? What is the best practice on this scenario? Thanks!

Regards,

J

Another idea is running fiber for your HA1 and HA2 ports.  Not sure what boxes you have, but if the distance is too great and you have fiber, this works nicely also.  Just connect two fiber ports, configure PANOS to use those ports as HA1 and HA2, and you're all set.  No worry about what happens if a switch goes down!

  • 3965 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!