pa200 ha

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

pa200 ha

L1 Bithead

Im in the process of setting up a pair of pa200 for ha, ive read through the documentation but im not clear on a few things.

The PA200, if i do an update on the FW for either software of dynamic updates it uses the management port to do the work.

If I configure HA I will need to use the management port and one of the ethernet ports, the other three are allocated with eth1 being used for the WAN link.

If i do a software update, do I need to make a configuration change to get the FW to initiate the update from eth1 rather than the in use management port.

1 accepted solution

Accepted Solutions

L6 Presenter

no you can still use the mgmt port for software upgrades while using it as a part of ha !!

View solution in original post

12 REPLIES 12

L6 Presenter

no you can still use the mgmt port for software upgrades while using it as a part of ha !!

Hi guys , its possible to do a HA with PA-200 right ?

This HA just to syncronization configuration , policies and networks ?


Best regards.

Yes I believe it is called "HA Lite":

HA Lite offers the following capabilities:

  • Fail-over of IPSec Tunnels
  • DHCP Lease information
  • PPPoE lease information
  • Configuration sync
  • Layer 3 forwarding tables

The big difference is that HA lite doesn't provide session syncronization.

I configured ha-lite on two pa-200 but when doing so i lost functioning of my eth4 interface which is connected to the internet. All other interfaced worked normaly..even a sub interface on eth4 worked.

Is this because i have Feature GlobalProtectGateway enabled on this interface?

If by losing the interface, you mean accessing HTTPS service on eth1/4. You need to access this interfaces on port 4443

How to Access the WebUI when GlobalProtect Is Enabled

When HA is enabled for the 1st time, the MAC address on the Eth interface changes to a virtual MAC that can be used by both PA's.  Maybe this happens and your ISP router need to refresh its ARP table?

rmonvon: I thought the PA will send out a gratuitous ARP when any HA events take place, in order to "push" the change to any devices that might have an old MAC address cached in their ARP tables

Well then i would loos the DHCP Information or would they stay? I can do a DHCP Renew and get the IP.

It's really strange, everything looks normal...routing everything...but ping 8.8.8.8 goes now to nirvana....maybe it's realy the isp router...problem is that i can't reboot that from remote..

Correct!

sh mac adderss-table inter gi1/0/4

it list a new mac address.....shit....Thanks for help

egearhart...Yes, you are correct and the PA would issue a gratuitous ARP upon changing to the virtual MAC.  However, I have encountered a number of routers, including Cisco, that will not update and they retain the previous MAC address.

gsteiner...:-)

it didn't work...i tried it again...i enabled the cluster then i rebooted the ISP Modem after 3 min i got a new IP Address (DHCP).

I see the traffic in Monitor but application is everything "incomplete" and it dosn't  work anymore.....as soon i disable Cluster and commit it works as allways...

Anyidee why HA-Lite dosn't work with a DHCP Device????

It worked on a PA500 without problems.....

How is your eth4 configured ? you said subinterface works, you already have subinterfaces or just for trying purpose you added ?

Did you try to access from your eth4 ip to default gateway and internet for troubleshoot better.

using ping source eht4/ip host destination_ip

  • 1 accepted solution
  • 7258 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!