02-24-2025 01:35 PM
I have a standalone PA-440 that I am in the process of moving to HA. I have all the wiring done with ISP1 and ISP2 broken out and going to the same ports on each of the 440s. That part all seems fine. I have all the licenses in place and I have green dots and sync across everything in the HA widget on the dashboard.
I only have a single switch at this location and the current PA-440 is plugged into port 48 on my Ruckus switch. I plugged in the passive into port 47 (same config, VLANs, etc) and the port went down and with err-diabled BPDUGUARD. Is that expected? I want to cycle the port to bring it out of error state, but don't want to bork anything as it is a remote facility. Wondering if I need to set up LACP/LAG on the switch for ports 47 and 48 since they will have the same MAC address.
I have verified that with 'show interface all' on both PA-440s that the MAC addresses are the same on all interfaces. On the passive, will the ports I am using (apart from HA) be 'configured but down'? Is that expected as well? I have the passive link state set to shutdown, so I am guessing so. Any benefit or issue with changing that to auto? Want to keep the failover timing on this as low as possible.
02-25-2025 10:34 AM
Hi @inSync-MarkValpreda ,
No, it is not expected that the port go error-disable with BPDUGuard. The NGFW does not initiate BPDUs, but it can forward them for L2/VWire interfaces. My guess is that the passive may still have had the default VWire configuration on it when the ports were initially plugged in. The ports connected to the passive NGFW should be configured exactly the same as the corresponding ports connected to the active NGFW. As long as HA is up and the configuration is synced and the NGFW is in passive state, it is safe to bring up the ports to the passive NGFW.
You do not want to setup LACP on ports connected to 2 different NGFWs. With the same config on the ports connected to active and passive, the MAC address should only show on the port connected to the active NGFW. If you want to configure LACP with multiple ports to each NGFW, configure 1 group to 1 NGFW, and a 2nd group to the 2nd NGFW. If you want LACP to be pre-negotiated on the passive NGFW, check the "Enable in HA Passive State" box under the AE interface. This will require that the passive link state be set to auto also.
As you asked, changing the passive link state be set to auto will speed the failover a little bit. The ports will be up on the passive. You should see no traffic or MAC addresses on the passive ports.
Thanks,
Tom
02-25-2025 01:59 PM
Good call on when the HA device was plugged in. I think it might have been in the initial state where the interfaces are in virtual wire. I will cycle that port.
No LACP on the ports connected to the different NGFWs....got it! I do have another one that I am going to do where there is an AE interface plugged into two different switches in a stack. I think I have those set for passive on the switch already.
Is there anything that I should do on the switch to keep the failover time as low as possible?
02-25-2025 06:59 PM - edited 02-26-2025 02:35 PM
This is a good doc on HA best practices. https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS
With regard to HA Timer Settings, most people use Recommended, but you want faster failover choose Aggressive.
I would definitely configure Link Monitoring. I would only configure Path Monitoring if you have redundant switches toward the ISP.
EDIT: No, there is nothing else you would do on the switch.
02-26-2025 02:38 PM
Thanks for the info on the switch.
I inherited this PA set up, so not sure where the 'link monitoring' is, or if it is set up. I just know PBF is set up for the ISP failover.
No redundant switches to the ISP in this location.
02-26-2025 02:58 PM
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
