This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who rated this post

mplewis
L0 Member

‎08-04-2023 10:29 AM - edited ‎08-04-2023 10:54 AM

Scenario 1:

With passive link state set to shutdown, I would expect the firewalls to hit their flap limit. That scenario would result in failover to firewall 2, back to firewall 1 (due to preempt with higher priority value), then back to firewall 2. Assuming a flap limit of 3, firewall 1 would remain in a suspended state due to 'non-functional loop detected' until admin intervention, while firewall 2 continued to support traffic.

 

Scenario 2:

As you suggested, setting passive link state to auto would result in a cleaner failover. Firewall 1 would fail to firewall 2 and stay there. Firewall 1 would stay suspended due to monitored link down. Once the link is back up, firewall 1 would renegotiate HA, and should become the active unit since it's configured to preempt with a higher priority value.

 

Scenario 3:

If a monitored link on each firewall failed (e.g. e1/1 on both firewalls), one of them would become suspended due to non-func loop, regardless of passive link state being shutdown or auto. Recovery would require admin intervention, same as the first scenario.

 

If there's something I overlooked or didn't take into account, feel free to correct me.

(1)
Who rated this post
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2025 - Palo Alto Networks