PA 2020 Active/Passive HA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA 2020 Active/Passive HA

L1 Bithead

I am configuring Active/Passive PA 2020 firewall for clustering . I have configured all the parameters for HA including the links(HA1 and HA2). Also the firewall are connected and both the HA interfaces are showing up. I am making One PA Firewall as Active by lowering its device Priority (100)and other as standby (priority 150).  I am seeing ,that both the PA firewall are showing as active and when I click on "Sync the config" , I am getting the error shown in the attached file.

Please advice me where am I making mistake. Also my Active firewall has some configuration done on it and my other firewall is on default configuration. Should I bring both the firewall on default config and then configure the HA ? Please advice.


6 REPLIES 6

L6 Presenter

Hi...I notice the PA2020 is running version 4.1.0.  I recommend that you upgrade both PA2020s to version 4.1.2.  You reported that both units are running in Active HA mode, that may mean the units are not seeing each other. We should see 1 unit to be Active and the other should be Passive.

You can verify via CLI if they have an HA peer:

> show high-availability state

If there is no peer, I recommend that you doublecheck your HA config and the HA cabling.  Thanks.

L6 Presenter

Hi,

Since both the peers are showing as Active-Active. It means that they haven't communicated to each other still. This seems like a configuration problem. Please make sure the following things are correct 1) both the Pan devices are running same software version

2) the HA group id is same for both the pan devices 3) use a crossover cable for ha2 ports 4) peer ids are matching across both the ends of pan devices. If the HA realationship forms correctly one device will be in active state and the other will be in the passive state. The command "show high availability all" will give all the info about the HA state on the device and also about peer state.

you need not have both the devices in the default config. As long as you configure ha parameters correctly on both the devices and they are in ha relationship, config syncshould work. One more thing,  you can sync the config from both the acitve side ----> passive side and also the other way. so please be care ful which side your are doing it from, in case if you sync config from the default config side (passive side ) to the other side, it will wipe out all the config on the other side.

Tx,

Sandeep T

Thanks for the reply. I cannot use a cross cable becoz I am running HA1 and HA2 on fiber (SFP) ports. Actually , as per design the two PA firewalls are intwo different buildings, so due to distance constrain , I have to use the Fiber bots for HA.

I have one doubt , please clear and I am sure that I am making mistake in that, when I edited the HA parameters , I used HA peer IP as 1.1.1.2 and when I configured  Control Link HA1 IP address , I used a different subnet (10.1.0.0/24) , do I have to configure them with the same subnet.? I think yes? Please advice

yes, the IP address for HA1 should correspond to the IP address for the peer.

Palo Alto Networks Guru

You have the option of running the firewalls' HA1 ports in the same subnet or different subnets.  If they're in the same subnet, leave the Gateway in the Control Link section of the config blank.  If they're in different subnets, you'll want to specify the correct Gateway address in order to achieve layer 3 connectivity.

Thanks,

Nick Campagna

Thanks  to all for the reply and support . Really appreciated

  • 3922 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!