04-22-2026 04:38 PM
Hello all,
I would like to get some idea/thoughts about the current setup on my two PA1410 Active/Passive FW failover concerns.
Few weeks ago, our Active FW has some issues and hung on the data plane. I found there was some missing configurations on our network side so the Failover didn't work at all. So eventually I resumed it, and raised the support case and found out that the FWs hit the bugs and will need to upgrade the PANOS to newer version.
Last week, I fixed the networking issue, and tested the failover. It works fine. But with few concerns that may need to figure out before the upgrade on the OS.
1. The failover from Active to Passive takes around 10 seconds and roughly 7 pings before the network connection resumed.
2. To trigger the first failover from Active to Passive, I used the Operation Commands in the Active FW GUI to Suspend local to the HA. After the checking and testing completed, I tried to Resume the Active FW, so I click the Resume link in Operation Commands. I expected that it will be automatically Failback to Active from the Passive FW. But I wait for another 3 minutes, it still running in the Passive. So I click the Suspend local to the HA in the Passive FW. Then the failback resumed back to normal.
For the Issue 1, I am not quite sure the parameters and values are not configured properly.
For Issue 2, I checked that the Preemptive option was not ticked in the Passive FW. It looks like this is the cause as the HA doc saying that this option must be ticked for both FWs.
Here I tried to attached the details on the HA section.
| PAN01 | PAN02 | ||
| Mode | Active-Passive | Active-Passive | |
| Local status | Active | Passive | |
| Peer status | Passive | Active | |
| HA1 | UP | UP | |
| HA1 Backup | UP | UP | |
| HA2 | UP | UP | |
| Enable HA | Tick | Tick | |
| Group ID | 10 | 10 | |
| Active/Passive Settings | |||
| Passive Link State | shutdown | shutdown | |
| Monitor Fail Hold Down Time | 1 min | 1 min | |
| Ele_tion Settings | |||
| Device Priority | 100 | 110 | |
| Preemptive | Tick | Tick | |
| Heartbeat Backup | Not Tick | Not Tick | |
| HA Timer Settings | Recommended | Recommended | |
| HA1 | |||
| Port | ha1-a | ha1-a | |
| Monitor Hold Time | 3000 ms | 3000 ms | |
| HA2 | |||
| Enable Session Syn | Tick | Tick | |
| Port | hsci | hsci | |
| Transport | ethernet | ethernet | |
| HA2 keep-alive | Not Tick | Not Tick | |
| HA1 Backup | |||
| Port | ha1-b | ha1-b | |
| Link and Path Monitoring | |||
| Link Monitoring | Enabled | Enabled | |
| Link Monitoring - Failure Condition | any | any | |
| Link Group | Not defined | Not defined | |
| Path Monitoring | Enabled | Enabled | |
| Path Monitoring - Failure Condition | any | any | |
| Path Group | Not defined | Not defined |
Thank you in advance.
Have a great day.
Timothy
04-23-2026 12:43 AM
Hi !
sounds like your failover is taking quite a lot of time, are you using LACP links or dynamic routing?
To speed up your failover time, you can make a few small adjustments:
- set passive link state to 'auto' so the interface is already 'on'
- if you have LACP/LAG interfaces, see if you can enable 'enable in HA passive state'
this will ensure your interfaces are already up and connected before a failover happens
check if your switch has some sort of ARP hold timers that could prevent the MAC address of the firewalls to hop to a different port when there is a failover
- in the event of a failover, the virtual MAC addresses used by the primary firewall's interfaces are taken over by the secondary unit and it starts sending out gratuitous ARP messages to remap ARP tables, but your switch may not agree
preempt will help fall back to the primary unit after a short outage, but for longer outages you will still need to fail back manually
hope this helps
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
