04-07-2011 09:01 PM
HI I have configured PAN to be active passive HA configure. I configure link monitoring on all the interface.
However, my active and passive firewall interface are connected to the same switch.
If the switch fails. May I know what will happen?
04-07-2011 10:51 PM
HI I have configured PAN to be active passive HA configure. I configure link monitoring on all the interface.
However, my active and passive firewall interface are connected to the same switch.
If the switch fails. May I know what will happen?
Both PAN devices will think the other one has failed and try to go "active". This would be a Bad Thing, as two devices would be trying to claim the same IP address, and the resulting ARP confusion would result in packet loss.
You should directly connect the HA ports between the two PAN's using crossover cables (there was a bug/problem caused by not using crossover cables - I'm not sure if it's fixed yet).
Just conenct HA1 on the first firewall to HA1 on the second, the same with HA2 on the first to HA2 on the second.
Cheers.
04-12-2011 02:47 PM
I think the question is about failure of revenue ports and not HA links. In this case, both devices will realize the failure. The devices will get into a non-functional loop as described below. One of the device will remain active.
A non-functional loop is when both devices in an HA pair have link or path monitoring failures that are not detectible while in non-functional state. This happens when the link state on passive device is set to shutdown in layer 3 mode. The link state on the passive device is always shutdown in vwire and layer2 deployments. If device in HA cluster starts in active state, detects a link or path down and it changes state to non-functional. The peer device at this time will go active. The non-functional device will remain in this state for monitor-fail-holddown time and change state to passive. The active device upon seeing the peer device as passive will change to non-functional because of the link failure. At this point, if monitoring fails again, the device gets into a loop to repeat the active ->non-functional ->passive->active transitions.
This state transitions are referred to as flaps. The device will remain in the suspended state even if the link or path connectivity is restored. The default number of flaps is 3. A value of “0” means infinite flaps. The maximum number of flaps defined will have to happen within 15 minutes after which the device enters suspended state. Once the device enters the suspended state, it requires user intervention to transition to functional state. This is accomplished by using the operational command “request high-availability state functional “.
05-05-2011 02:22 PM
In a 4.02 firewall pair, if I have both virtual wires and a Layer 3 config, it seems that I would want to use "auto" instead of "shutdown" (under Device Tab > HA > Active Passive Configuration) because that's better for a Layer 3 situation and path monitoring. But does this mean that I would have a forwarding loop since the vwires would stay up on both boxes? Do I have to implement Spanning tree between the switches before and after the PA boxes to prevent this looping or is there a PA mechanism to control this? How do both network types live together in an HA pair?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
