PAN failover causes Cisco issues

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PAN failover causes Cisco issues

L1 Bithead

Hi Guys,

Has anyone seen the PAN causing an issue with Cisco ASAs when doing a failover? I don't have much details yet but wanted to see if anyone has seen this or something similar.

Thank you in advance.


7 REPLIES 7

L7 Applicator

Hello X,

Could you please let us know how the HA has been configured on PAN firewall, i.e in Layer-3 mode, V-Wire or L-2..?

you may check ha-agent logs for more details information: pan> less mp-log ha-agent.log

Few related docs for your reference:

High Availability Failover Optimization

Re: Cisco SCPS traffic being dropped

Gratuitous ARP in HA Failover

Logical Shutdown of an Interface Does Not Cause HA Failover

Admin Disabled Link (Part of a Link Group) Will Not Cause a Failover in HA Cluster

Thanks

L4 Transporter

Hello X,

The info provided is very less, however since you mentioned about failover, please check if the HA settings has the 'Passive link state' as shutdown. You can change it to 'auto' which reduces the failover time since the passive links will be up even before the failover. Hence, the time taken to bring up the passive links can be reduced. During this time, it is possible that you might see some issues with respect to arp on the connected devices.

If possible provide us more details.

Regards,

Dileep

L3 Networker

I have no issues failing the PAN's that sit behind the Cisco ASA's.  The PAN interface's are a Vwire and untrust is plugged into layer 2 vlan that the inside interfaces of the ASA's are connected to.

L6 Presenter

Hi X,

If devices are configured properly than there should not be issue. Many customers uses this kind of set up.

Please provide us network topology that way we can suggest more.

Regards,

Hardik Shah

Hi Guys,

Thanks for the replies. I have more info now. The setup is an active/active using vwire interfaces. Apparently, putting the PAN in an active/active vwire disables the failover ability of the ASA HA cluster. I'm gonna guess the topology is similar to the one below.

Cisco ASA1------Cisco ASA2

     |                         |

------------Switch------------

     |                         |

PAN1                   PAN2

I have the config if anyone is interested.

It's a vwire with HA3 enabled. I'm not sure if that's what's causing the issue.

Would you be able to share your configuration?

Thanks

L7 Applicator

Hello X,

The HA peer will synchronize information with its peer through the HA1 and HA2 interfaces. It can also continue to process traffic for existing sessions that is being sent to it from a neighboring device by forwarding it to the active peer over the HA3 interface. Hence, i don't think the HA-3 link will create any problem here.

I would request you to go through the DOC in details, this might give you a better understanding  : High Availability Failover Optimization

Thanks

  • 4573 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!