What would happen if you suspended both of your firewall in an active/passive HA configuration? Starting with suspending the passive firewall first and then the primary firewall.
I like your answer it's very creative. So the flow stops passing through both PA's. I would have thought they would just no longer be in HA or maybe they would be in a split-brain state.
well i did have a little play on our test boxes after your post and I suppose the most logical explanation is that you are suspending the device, not the HA status. Albeit not the management interface.... and yes all interfaces were rouge..
Thanks for testing it for me, wish I had some test boxes are they hardware or virtual? I guess I won't be trying that on my real network since I don't like melting phones or slinging burgers.
they are hardware (3050's).
for the record....
we are currently running all of our boxes on 7.1.15, we tried an upgrade to 8 last year and had to roll back,
partly because of the early release of 8 that we were using, partly because I'm still struggling with some of the next generation stuff...
the company took the option to purchase 2 spares for testing the next upgrade to 8.07, also it's nice to have a hot standby as not all of our firewalls are HA. further down the line we have a new site to cope with so they will eventually be used for that...
off the record....
you know how it works when departments have asked for x ammount of money and don't spend it by the end of the year...
Your company must have access to way more money than we do LOL. I have be comtemplating upgrading to 8 during the summer break but the issues with xauth & the VPN are making me thing twice about it
Touching/expanding on what @MickBall stated; when you suspend the firewall HA is no longer functional. 'Suspend' is referenced a lot like it's some kind of 'HA Failover' command, and it is in the sense that it will cause an HA failover. That being said, you bring the device to a non-functional device. Once a firewall is in the 'suspended' state, it can only be made functional manually.
This is done so that any issue that would normally force the firewall to enter a 'suspended' state automatically, such as interface/path monitoring flaps, preemption issues, do not continue to cause flapping across the HA pair. When you 'suspend' your other HA unit you'll effectively be left without a functional device.
Once you restart the device it will be in the default 'functional' state, not suspended. This is why the upgrade procedure says that you should disable preempt, as it would prevent the primary device from automatically re-taking the active state until you want it to do so.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!