10-21-2014 08:34 AM
Hi Guys,
Has anyone seen the PAN causing an issue with Cisco ASAs when doing a failover? I don't have much details yet but wanted to see if anyone has seen this or something similar.
Thank you in advance.
10-21-2014 08:45 AM
Hello X,
Could you please let us know how the HA has been configured on PAN firewall, i.e in Layer-3 mode, V-Wire or L-2..?
you may check ha-agent logs for more details information: pan> less mp-log ha-agent.log
Few related docs for your reference:
High Availability Failover Optimization
Re: Cisco SCPS traffic being dropped
Logical Shutdown of an Interface Does Not Cause HA Failover
Admin Disabled Link (Part of a Link Group) Will Not Cause a Failover in HA Cluster
Thanks
10-21-2014 08:46 AM
Hello X,
The info provided is very less, however since you mentioned about failover, please check if the HA settings has the 'Passive link state' as shutdown. You can change it to 'auto' which reduces the failover time since the passive links will be up even before the failover. Hence, the time taken to bring up the passive links can be reduced. During this time, it is possible that you might see some issues with respect to arp on the connected devices.
If possible provide us more details.
Regards,
Dileep
10-21-2014 12:02 PM
I have no issues failing the PAN's that sit behind the Cisco ASA's. The PAN interface's are a Vwire and untrust is plugged into layer 2 vlan that the inside interfaces of the ASA's are connected to.
10-21-2014 02:06 PM
Hi X,
If devices are configured properly than there should not be issue. Many customers uses this kind of set up.
Please provide us network topology that way we can suggest more.
Regards,
Hardik Shah
10-23-2014 08:25 AM
Hi Guys,
Thanks for the replies. I have more info now. The setup is an active/active using vwire interfaces. Apparently, putting the PAN in an active/active vwire disables the failover ability of the ASA HA cluster. I'm gonna guess the topology is similar to the one below.
Cisco ASA1------Cisco ASA2
| |
------------Switch------------
| |
PAN1 PAN2
I have the config if anyone is interested.
It's a vwire with HA3 enabled. I'm not sure if that's what's causing the issue.
10-23-2014 08:25 AM
Would you be able to share your configuration?
Thanks
10-23-2014 08:32 AM
Hello X,
The HA peer will synchronize information with its peer through the HA1 and HA2 interfaces. It can also continue to process traffic for existing sessions that is being sent to it from a neighboring device by forwarding it to the active peer over the HA3 interface. Hence, i don't think the HA-3 link will create any problem here.
I would request you to go through the DOC in details, this might give you a better understanding : High Availability Failover Optimization
Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
