Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

HA Passive interfaces not coming up.

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Passive interfaces not coming up.

L0 Member

Hi All, I have searched the community before posting however I cannot find a solution for the issue I am experiencing.

 

We have a very straightforward physical topology. A cisco 9500 sw switch stack operating as a stackwise-virtual chassis. On Switch 1 we have a single layer 2 copper connection to Palo-1 for inside traffic (inside to outside), on switch 2 we have a single layer 2 copper connection to Palo-2 for inside traffic (inside to outside). Palo-1 is the active FW, Palo-2 is the Passive FW. HA is configured and directly connected, passive link state is 'shutdown'. The 9500 interfaces are configured as 'access' mode interfaces with spanning-tree portfast edge applied.


The issue we are seeing is during a manual failover from Palo-1 to Palo-2, the interfaces on Palo-2 do not become active, they remain down. I am not sure if changing the passive link state to 'auto' will help at all, other than speed up convergence time. 

 

Can anyone please suggest what could be the issue?

 

Thanks!

3 REPLIES 3

Cyber Elite
Cyber Elite

how are you failing the cluster over? 

- manually setting the active member to suspended state ( device > high availability > operational commands > suspend local device)

- unplugging/shutting an interface

the last option also requires you to monitor your interfaces via device > high availability > link and path monitoring

 

reaper_0-1725275312130.png

 

else, your cluster will not fail over

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi - thanks for the response!

The links are monitored and the failover is being initiated as you have suggested above. We have changed the passive link state to auto from shutdown however the ports on passive Palo-Alto 2 connected to the core switch virtual chassis (switch 2) are in a 'notconnect' state. When these connections are moved from core switch virtual chassis (switch 2) to (switch 1), the ports transition into a connected state. Does this suggest a loop in either the core switch or the Palo cluster? No logs are available on the core switch.

hm... that's tricky.... i'd be inclined to 'blame' the switch2

the firewall should not care about loops when bringing up it's interfaces. As soon as the firewall becomes 'active/primary' the interfaces should come online regardless. If there's a loop you'll see a lot of errors on the interface etc, but the interfaces will remain up

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
  • 514 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!