09-02-2024 02:28 AM
Hi All, I have searched the community before posting however I cannot find a solution for the issue I am experiencing.
We have a very straightforward physical topology. A cisco 9500 sw switch stack operating as a stackwise-virtual chassis. On Switch 1 we have a single layer 2 copper connection to Palo-1 for inside traffic (inside to outside), on switch 2 we have a single layer 2 copper connection to Palo-2 for inside traffic (inside to outside). Palo-1 is the active FW, Palo-2 is the Passive FW. HA is configured and directly connected, passive link state is 'shutdown'. The 9500 interfaces are configured as 'access' mode interfaces with spanning-tree portfast edge applied.
The issue we are seeing is during a manual failover from Palo-1 to Palo-2, the interfaces on Palo-2 do not become active, they remain down. I am not sure if changing the passive link state to 'auto' will help at all, other than speed up convergence time.
Can anyone please suggest what could be the issue?
Thanks!
09-02-2024 04:09 AM
how are you failing the cluster over?
- manually setting the active member to suspended state ( device > high availability > operational commands > suspend local device)
- unplugging/shutting an interface
the last option also requires you to monitor your interfaces via device > high availability > link and path monitoring
else, your cluster will not fail over
09-03-2024 01:55 AM
Hi - thanks for the response!
The links are monitored and the failover is being initiated as you have suggested above. We have changed the passive link state to auto from shutdown however the ports on passive Palo-Alto 2 connected to the core switch virtual chassis (switch 2) are in a 'notconnect' state. When these connections are moved from core switch virtual chassis (switch 2) to (switch 1), the ports transition into a connected state. Does this suggest a loop in either the core switch or the Palo cluster? No logs are available on the core switch.
09-09-2024 03:36 AM
hm... that's tricky.... i'd be inclined to 'blame' the switch2
the firewall should not care about loops when bringing up it's interfaces. As soon as the firewall becomes 'active/primary' the interfaces should come online regardless. If there's a loop you'll see a lot of errors on the interface etc, but the interfaces will remain up
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
