PA-5220 HA Config Ethernet or Crossover Cables?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-5220 HA Config Ethernet or Crossover Cables?

L2 Linker

The first step seems a bit contradictory, just looking for some clarification. I have 2x5220s that I am setting up in HA Active-Passive mode. To cable the dedicated interfaces it looks like I just use regular ethernet cables, but the second sentence "Use a crossover cable if the peers are directly connected to each other." seems to contradict the first sentence. Can anyone explain when crossover cables would be used?

 

Step 1 >>

Connect the HA ports to set up a physical connection between the firewalls.

  • For firewalls with dedicated HA ports, use an Ethernet cable to connect the dedicated HA1 ports and the HA2 ports on peers. Use a crossover cable if the peers are directly connected to each other.
  • For firewalls without dedicated HA ports, select two data interfaces for the HA2 link and the backup HA1 link. Then, use an Ethernet cable to connect these in-band HA interfaces across both firewalls.
Use the management port for the HA1 link and ensure that the management ports can connect to each other across your network.
2 accepted solutions

Accepted Solutions

Cyber Elite
Cyber Elite

@mike406,

Some networks that are setup across multiple different buildings will utilize intermediate connections to connect the HA ports, and therefore the device is not actually directly connected to eachother. In this case you would use a normal patch cable.

 

If your Active/Passive units are going to be located in the same area, and they are going to be directly connected to each other (cable from HA1 on Active to HA1 on Passive), it is recommended to use a crossover cable. 

 

Most networks that are actually dispursed between buildings are unlikely to use the ethernet HA ports however, instead they would setup SFP ports to simply utilize a direct fiber connection between firewalls.  

 

 

View solution in original post

Cyber Elite
Cyber Elite

Hello,

While it is recoomended, it is not required. I have two in HA and use straight through cables and it works just fine. Most modern swithces/routers/firewalls can detect and compensate for this.

 

Regards,

View solution in original post

8 REPLIES 8

Cyber Elite
Cyber Elite

@mike406,

Some networks that are setup across multiple different buildings will utilize intermediate connections to connect the HA ports, and therefore the device is not actually directly connected to eachother. In this case you would use a normal patch cable.

 

If your Active/Passive units are going to be located in the same area, and they are going to be directly connected to each other (cable from HA1 on Active to HA1 on Passive), it is recommended to use a crossover cable. 

 

Most networks that are actually dispursed between buildings are unlikely to use the ethernet HA ports however, instead they would setup SFP ports to simply utilize a direct fiber connection between firewalls.  

 

 

Cyber Elite
Cyber Elite

Hello,

While it is recoomended, it is not required. I have two in HA and use straight through cables and it works just fine. Most modern swithces/routers/firewalls can detect and compensate for this.

 

Regards,

@OtakarKlier is very much right, and why I put recommended in italics. Crossover cables are quickly becoming something that nobody actually uses anymore, and outside of a couple really old routers I've come across I can't recall the last time I've truthfully ran across a device that fully required a crossover cable be used. 

Thank you all for the replies. I will use straight cables and see how it goes. I haven't used crossover cables since the days of hubs...and once switches and Auto-MDI/MDIX capabilities came along I never used a crossover cable unless it was required. It caught me a little off-guard when I saw that listed in the steps.

 

Mike

Yes that is exactly what we need is to have them connected by fiber and not through switches etc that when they loose power have cause a split brain condition on my network since there are located in different buildings. We discovered this when we had a power outage in the building where the active PA was located and they were both passing traffic cause they couldn't talk to the there HA partner and both thought the other was down.

L0 Member

Hello

 

I have question.

 

For PA-5220, is it better to use HA cable as 1G UTP? Or is it better to use 10G UTP? As far as I know, using 1G UTP does not seem to be a problem. Could you give me an answer? Thank you.

I have been using 1G UTP and it's working. No synchronization issues or anything like that, but it depends on your setup. Make sure to read the posts in this thread and the configuration guide and if you're still not sure consult with tech. support or your sales SE.

@KyungJinHan,

@mike406 is right. This works perfectly fine in some situations, and it would work really poorly in others. This depends on the utilization of the 5220 and ensuring that you don't find youself hitting saturdation on the links. 

  • 2 accepted solutions
  • 10624 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!