- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-22-2020 02:13 AM
Hello,
We have a pair of VM300 PAs in Azure set up in Active-Passive. They are running 9.0.7 code with VM Series plug in 1.0.8.
There was an issue in Azure on 19/10/20 which caused a failover and recovery (we use pre-emption). Post this issue the PAs were up and running but not passing traffic. we found that the secondary IP addresses (i.e. floating IPs) had been moved to the Azure VM for the Passive firewall (PA2). Hence no traffic flowing as this firewall was passive. We failed from the Active (PA1) over to this Firewall (PA2) and some traffic started to flow but everything was incredibly slow. we tried restarting VMs, failing back over, etc but nothing would change the state of the secondary IP addresses, they were locked to PA2.
Eventually we completely powered down the VM which was running PA1 and things started to run ok again. we then configured PA2 to always be Active and powered PA1 back up. PA1 came back up, re-established HA and things were running fine, PA2 Acitve, PA1 Passive. We then suspended PA2 to trigger failover and again we had issues with secondary addresses. The secondary addresses on the untrust VM interface floated over to PA1 correctly, but the secondary address on Trust VM interface disappeared completely from both PA1 and PA2. No failovers, restarts etc recovered this address.
We powered down PA2 and had to manually re-create the secondary address on Trust on PA1 to restore service. this is the state we are now in.
can someone please assist / recommend next steps? Failover it seems is broken.
thanks
Ryan
10-28-2020 06:12 AM
Does any of the interfaces has a Public IP's associated with them?
I also had a similar issue but in my case I had public IP's associated with the interface and I used the Standard SKU for it. Once I changed it to Basic SKU the failover is working fine for me. However, the failover time was 6 to 8 mins each time.
In your Active/Passive Scenario Do you have L2L VPN tunnels configured?
11-09-2020 02:16 AM
Hello, thanks for response. yes we have public IPs on one interface, i will ask our CSP for guidance on this setup.
Yes we have L2L tunnels configured as well, are there issues here which could be cause?
Thanks again for reply
Ryan
11-09-2020 05:36 AM
I ran the failover test like 20 times in the Active Standby Scenario. Two things I observed there.
1. A couple of times that tunnel took 20 mins to failover.
2. Three times the tunnel didnt come up after the failover, I had to do a force re-negotiate
08-20-2021 11:51 AM
Was there ever a solution found for this issue? If so, could you please share?
08-31-2021 01:24 AM
HI there, no solution no. am pending some assistance from PA TAC once i can arrange an outage. We have tried multiple code versions and plug ins but problem remains. i will update once i have an update, hopefully in the coming month.
10-06-2021 08:51 AM
still no "solution" to this but carried out a controlled failover last week and it worked, first time it has worked as it should have done since the PAs were stood up about 2 years ago. FYI the code we are on is 9.0.13 Azure plugin 1.0.13.
have some upgrades coming up over next few months to get to 9.1 so be interesting to see if any issues occur then. otherwise can only assume something was fixed in the background Azure end or maybe i just got lucky...
12-16-2021 11:10 PM
I have always found this failover mechanism within Azure to be impractically slow. I look forward to the day when it improves.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!