PA-2000 HA Timers

Reply
Highlighted
Not applicable

PA-2000 HA Timers

Currently if I hard power down my primary firewall it takes about 6 Seconds for the secondary to take over, a bit slow really.

Changed most of the HA timers to their minimum, just checking to see if there is any other configuration that can be changed to make this a bit quicker?

Tags (2)

Accepted Solutions
Highlighted
L6 Presenter

When u r manually switching the ha state of a acitve primary device, the moment u make a change to the active primary device, the primary device will send its state ( suspended ) to the secondary device in the hello message as a result the secondary knows instantaneously that the primary is in suspended state and the fail over will be instantaneous. In the case of power down the active primary device will stop sending/ responding to heartbeats, so the secondary will wait for 3 heart beat failures and after this it will make a state change to primary.

View solution in original post


All Replies
Highlighted
L6 Presenter

When you mean 6 minutes to fail over , is the secondary passive firewall taking 6 seconds to become active ? or you are trying to test the fail over time with the help of pings and you are seeing the pings go through after 6 seconds . If it is the second case then it is expected as ping sessions are synced across ha pair. If the passive is taking 6 seconds to become active then you might have to use the recommended ha timers (pa- 2000 hello interval - 8 sec, heart beat interval - 2sec, promotion hold time- 2 sec and preemption hold time -1 sec) and see if it makes any difference. It is advised to set the ha timers too aggressive as it can cause split brain issues.

https://live.paloaltonetworks.com/docs/DOC-1094

Highlighted
Not applicable

I am using the recommended HA timers at the moment, most of which for the PA-2000 also seem to match the device minimum.

Is the secondary passive firewall taking 6 seconds to become active ? Yes, I am literally turning off the power supply on the primary device and checking to see how long until the secondary device becomes active, it always seems to be around 6 seconds during the tests. I am not looking yet at how long after becoming active it takes to start passing traffic.

Highlighted
L6 Presenter

never noticed such a delay for the secondary. are you having the ha 1 interfaces connected directly or over a network with different hops in between ? also which version of code is it ?

Not applicable

HA1 and HA2 are directly cabled, and it's running the lastest version of software 4.1.7

It's got a fast failover for manually switching via GUI/CLI, also quick for link path monitoring. Just seems to be only the power down where it's waiting to miss a specific number of hello packets.

Highlighted
L6 Presenter

When u r manually switching the ha state of a acitve primary device, the moment u make a change to the active primary device, the primary device will send its state ( suspended ) to the secondary device in the hello message as a result the secondary knows instantaneously that the primary is in suspended state and the fail over will be instantaneous. In the case of power down the active primary device will stop sending/ responding to heartbeats, so the secondary will wait for 3 heart beat failures and after this it will make a state change to primary.

View solution in original post

Highlighted
L5 Sessionator

If the timer for hello interval is set to 2000ms/2sec, it will take 3 missed heart beats which is 6000ms/6sec before it switches over to passive device. which is what you are experiencing. You don't want to set this timer too aggressively and should use the recommended settings as it might cause unwanted HA flaps.

Hope this helps.

Thank you

mbutt




Highlighted

A Link Monitor for HA1 & HA2 should result in faster fail over times when the Primary Device fail at all.

Or am i wrong here?

Kind regards

Marco

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!