01-08-2024 03:46 PM
My backup PA-3420 in an HA peer will not detect SFPs or link on any port (including copper) but the management. The primary unit detects and links on multiple SFP slots with multiple different SFP types and brands. The same SFPs in the backup unit will not detect.
adrian.admin@PA_CorpEdge_A(active)> show system state | match sys.s1.p13.capability\|sys.s1.p13.phy
sys.s1.p13.capability: [ auto, 1Gb/s-full, 10Gb/s-full, ]
sys.s1.p13.phy: { 'duration': 3600, 'last-sample': 2024-01-08 15:24:27, 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'ch1': { 'rx-power': 0.00 mW, 'tx-bias': 5.82 mA, 'tx-power': 0.60 mW, }, 'connector': LC, 'diagnostic-monitor': Yes, 'encoding': Reserved, 'ex-spec-compliance-code': 0x0, 'identifier': SFP, 'link-len-km': 0 km, 'link-len-m': 0 m, 'link-len-om1': 30 m, 'link-len-om2': 80 m, 'link-len-om3': 300 m, 'link-len-om4': 0 m, 'rx-power-alarm-hi': 2.00 mW, 'rx-power-alarm-lo': 0.03 mW, 'rx-power-warn-hi': 0.79 mW, 'rx-power-warn-lo': 0.03 mW, 'supply-voltage': 3.32 V, 'temp-alarm-hi': 85.00 C, 'temp-alarm-lo': -5.00 C, 'temp-warn-hi': 80.00 C, 'temp-warn-lo': 0.00 C, 'temperature': 26.48 C, 'transceiver': 10000B-SR, 'tx-bias-alarm-hi': 10.50 mA, 'tx-bias-alarm-lo': 2.50 mA, 'tx-bias-warn-hi': 10.50 mA, 'tx-bias-warn-lo': 2.50 mA, 'tx-power-alarm-hi': 2.00 mW, 'tx-power-alarm-lo': 0.13 mW, 'tx-power-warn-hi': 0.79 mW, 'tx-power-warn-lo': 0.32 mW, 'vendor-name': AVAGO , 'vendor-part-number': AFBR-709SMZ-NA1 , 'vendor-part-rev': G4.1, 'vendor-serial-number': AA1723300NG , 'voltage-alarm-hi': 3.60 V, 'voltage-alarm-lo': 3.00 V, 'voltage-warn-hi': 3.46 V, 'voltage-warn-lo': 3.13 V, }, 'type': Ethernet, }
peer.sys.s1.p13.capability: [ auto, 1Gb/s-full, 10Gb/s-full, ]
peer.sys.s1.p13.phy: { 'link-partner': { }, 'media': SFP-Plus-Empty, 'type': Ethernet, }
Am I missing something obvious here or is my backup unit broken?
01-08-2024 04:13 PM
OK... emergency averted... So apparently this is "by design" and seems completely broken-by-design to me. By default, in an HA pair, the backup unit will not initialize or link on any port, copper or SFP, when in a standby state. That means you have no way of knowing if the cables are connected or the SFP works, until the unit becomes the active unit of the HA pair... If also means you have no way of monitoring port status via network management (i.e. WhatsUp/OpenNMS/etc., did someone yank the wrong cable in the last 3 months?) and failing over will take longer because the links have to all initialize/come up before any failover can take place (flap prevention on the far side).
The fix is to go Device -> High Availability -> General -> Active/Passive Settings, and change Passive Link State from "Shutdown" to "Auto" on all the HA members.
01-09-2024 06:47 AM
" So apparently this is "by design" and seems completely broken-by-design to me. "
It's not a bad design. You even mentioned in your final statement you can chose how the firewall behaves. You have the option to had down the passive firewall dataplane interfaces or to have them be in an up state.
01-09-2024 02:03 PM
Just echoing what @Brandon_Wertz mentioned, but it's also the safer default setting that will work for everyone regardless of how they setup their device. It's often not the ideal configuration depending on your configuration, in fact I'd go as far as to say in most cases it isn't ideal, but it is the safest default option to set for everyone.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
