About arun_sh

which PAN OS caused this issue?  Yes I know its shown as resolved in 8.1.9 but where is the issue? ... View more

the reason why some of the Palo Alto firewalls in HA are facing this split brain scenario is due to this BUG -106914. this is mentioned in 8.1.9 PAN OS as addressed issue.   please find the detail: Fixed an issue on a firewall in a high availability (HA) active/passive configuration where HA1 and HA2 links stopped passing packets, which caused a split-brain condition after an automatic configuration sync. hence , either you are using AUX or mgmt port or any other port, if this bug is hit then HA will stop working and FWs will become active active. I am sure my config though having AUX for HA1 but mgmt for HA1 backup(not physical, but through election settings), was hit with this BUG as well.   please do upgrade HA FWs with downtime only as there is no mention of any particular hardware model.     ... View more

Okay. so even We were hit by this bug. we have two 5220 PA FW in HA and HA1 connected via AUX. We were in plan to upgrade from 8.0.10 to 8.1.7 but then while secondary was upgraded and rebooted to 8.1.7 , split brain scenario was occured and we had both our firewall in active active and whole network was down.     Then we get to know from PA that its a bug. then we proceeded for 8.1.9 upgrade and it was resolved.   but now I have a question and looking for solid answer here- this bug only caused HA1 link to remain down but then what about the HA1 backup hearbeat, as we had heartbeat backup enabled in election settings and by default it takes mgmt port. Hence if HA1 was down due to bug, why backup heartbeat did not function through mgmt and made sure that HA can be acheived. could you pleaee help? ... View more