This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

sync issues

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

sync issues

jdprovine
L4 Transporter

‎08-16-2017 07:14 AM

My HA pair went into split brain so I rebooted the secondary and now they will not sync

0 Likes Likes
7 REPLIES 7

TranceforLife
L6 Presenter

‎08-16-2017 09:09 AM

Are they still able to communicate over the control plane? 

0 Likes Likes

jdprovine
L4 Transporter
In response to TranceforLife

‎08-16-2017 09:33 AM

After hitting sync peer many times they finally worked and synced

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to jdprovine

‎08-16-2017 02:18 PM

Hello,

Do you have 'Device Priority' enabled? This does help with the split brian issues sometimes.

 

 

Election Settings
Specify or enable the following settings:
Device Priority—Enter a priority value to identify the active firewall. The firewall with the lower value (higher priority) becomes the active firewall (range is 0–255) when the preemptive capability is enabled on both firewalls in the pair.

 

Regards,

0 Likes Likes

TranceforLife
L6 Presenter
In response to OtakarKlier

‎08-16-2017 02:51 PM - edited ‎08-16-2017 02:56 PM

The problem is if firewalls are unable to communicate (exchange "Heartbeat" messages) then each device assumes active role.

 

EDIT:

 

Ohh misread your message. Yes, you are right. I thought we are talking about preemption

 

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to TranceforLife

‎08-16-2017 02:54 PM

Hello,

Yes that is true, however the split brain arises when communication is restored. So this should help solve that issue, correct?

 

Regards,

Remo
L7 Applicator
In response to OtakarKlier

‎08-16-2017 04:30 PM

The device priority does not help you in split-brain situations. Split-brain is, as described by @TranceforLife, when the firewalls cannot communicate, so both peers assume the other one is down -> both change to active state.

 

The device priority is primary needed if you have one firewall which should, in most cases, handle the traffic. So in combination with preemptive mode, this makes sure that after a problemsituation is solved, the firewall with the higher priority (lower value) will change back to active.

If you don't care which firewall is active, there is actually no need to set different values (even if I recommend to do it anyway), because if both firewalls have the same value, the one with the lowest mac address will become the active clustermember.

 

@jdprovine

If you need to reboot the firewall after a split-brain to restore full functionality of the cluster, this sounds to me like a bug ... do you have PAN-OS 8.0.1 running?

jdprovine
L4 Transporter
In response to Remo

‎08-17-2017 08:58 AM

@Remo

 

no i am currently on os 7.1.10, I think we are going to try to connect the heartbeat via fiber without running through switches or any other devices which seem to be the main cause in our situtation.

0 Likes Likes
  • 2864 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks