Palo Alto HA

-

 HA cluster : 2 identical

P/A: support L2, L3 and VW. 

A/A: support L3 and VW.

PA200 only support HA lite which is not stateful 


HA1: Control Plane Link (L3): heartbeat, HA state info, routing sync, user-ID info.

HA2: Data Plane Link (L2, stateful link): sync sessions, FIB, IPsec sa, ARP.

HA3: For A/A, forward packet

heartbeat backup can run on mgmt interface


Preemptive: lower number has high priority


Management interface has dedicated IP, data interface IP  on the active FW, standby FW has no IP. By default, data interface on standby FW is in shutdown status.

When FWs are directly connected in same LAN, HA2 using ethernet Transport protocol, doesn't need an IP address 

admin@PA-916-B(passive)> show interface hardware
total configured hardware interfaces: 3
name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    ukn/ukn/down(power-down)  00:0c:29:7a:5c:0c
ethernet1/3             18    10000/full/up             00:0c:29:7a:5c:20
ethernet1/4             19    10000/full/up             00:0c:29:7a:5c:2a
aggregation groups: 0

admin@PA-916-A(active)> show high-availability state

Group 5:
  Mode: Active-Passive
  Local Information:
    Version: 1
    Mode: Active-Passive
    State: active (last 51 minutes)
    Device Information:
      Management IPv4 Address: 172.16.1.60/24
      Management IPv6 Address: 
      Jumbo-Frames disabled; MTU 1500
    HA1 Control Links Joint Configuration:
      Encryption Enabled: no
    Election Option Information:
      Priority: 10
      Preemptive: yes
    Version Compatibility:
      Software Version: Match
      Application Content Compatibility: Match
      Anti-Virus Compatibility: Match
      Threat Content Compatibility: Match
      VPN Client Software Compatibility: Match
      Global Protect Client Software Compatibility: Match
      VM License Type: Match
      Plugin Information:
        VMS: Match
    State Synchronization: Complete; type: ethernet
  Peer Information:
    Connection status: up
    Version: 1
    Mode: Active-Passive
    State: passive (last 44 minutes)
    Device Information:
      Management IPv4 Address: 172.16.1.61/24
      Management IPv6 Address:
      Jumbo-Frames disabled; MTU 1500
      Connection up; Primary HA1 link
      Connection up
      Keep-alive config log-only; status up; Primary HA2 Link
        Monitor Hold inactive; Allow settling after failure
    Election Option Information:
      Priority: 100
      Preemptive: yes
  Configuration Synchronization:
    Enabled: yes
    Running Configuration: synchronized
admin@PA-916-A(active)>


====================

heartbeat poll
interface monitor
path monitor

Config:

https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/high-availability/set-up-activepassive-ha/configure-activepassive-ha.html



show high-availability state 


HA2 Keepalive

When enabled it monitors the connection stability between the HA pair devices on HA2 connection
   With the HA2 keep-alive option enabled, the failover will also occur if the HA keep-alive messages fail based on the defined threshold


=====To failover traffic from active device to passive =====

 Failover on the current active member with the CLI command:
CLI:
 request high-availability state suspend

GUI:
Device > High Availability > Operational Commands – click Suspend local device for high availability


Restore the suspended firewall to a functional state

CLI:
request high-availability state functional

GUI:
Device > High Availability > Operational Commands – click make local device functional for high availability

================================

Preempt

Need be enabled on both units, priority has lower value wins
Default hold time is 1 mins


Link Monitoring

Tested when link monitoring and preempt are both enabled .

When node 1 has a link failure, failover happens, lost 6 ping packets, node1 LED ALAM turned to red, data ports go to disabled by default in passive node,  then link monitoring no longer works in the passive node, alarm is cleared, since preempt it on, failover happens again, active is back on unit 1, but soon get error and be suspended, failover happens again.












Comments

Post a Comment

Popular posts from this blog

Firepower FMC and FTD troubleshooting

-
 1. Display real time log on FMC or FTD: pigtail for example: pigtail | grep 192.168.2.20                      pigtail | grep sftunnel 2. Restart communication channel manage_procs.pl run it from  the sensor only, run it from FMC will reset all sensors' channel. This scripts are nice to be used when the FMC and FTD have communication problems like heartbeats are not received, policy deployment is failing or events are not received > expert ************************************************************** NOTICE - Shell access will be deprecated in future releases          and will be replaced with a separate expert mode CLI. ************************************************************** admin@FTD:~$ sudo su Password: root@FTD:/home/admin# manage_procs.pl ****************  Configuration Utility  **************  1   Reconfigure Correlator  2   Reconfigure and flush Correlator  3    Restart Comm. channel  4   Update routes  5   Reset all routes  6   Validate Network  0   Exit *****
Read more

ASA IKEv1 VPN troubleshooting Steps and Tips

-
  1. Phase I proposal mismatch  Run show crypto isakmp sa  Initiator: MM_WAIT_MSG2 Responder: No info  Most likely this is phase1 proposal mismatch, verify IKEv1 policy, other symptoms:   Initiator log: Information Exchange processing failed All configured IKE versions failed to establish the tunnel Initiator debug: Received an un-encrypted NO_PROPOSAL_CHOSEN notify message, dropping Responder log: Error processing payload: Payload ID Responder debug:  All SA proposals found unacceptable 2. IKE version mismatch:  Run  show crypto isakmp sa  no info at both initiator and responder Initiator log: Removing peer from correlator table failed, no match! Reason: User Requested  All configured IKE versions failed to establish the tunnel Initiator debug: Oakley begin quick mode PHASE 1 COMPLETED IKE Initiator sending 1st QM pkt Removing peer from correlator table failed, no match! Session is being torn down. Reason: User Requested Responder log: Tunnel Rejected: Conflicting protocols specified
Read more

Firepower 2100/1100 FTD/ASA initial setup, reimage, upgrade.

-
  Chassis FXOS and FTD share same management IP (default 192.168.45.45) Chassis FXOS (192.168.45.45) and ASA ()use different management IP although on same physical interface. SSH to FXOS/FTD are on FTD CLI prompt, go to FXOS using the  connect fxos  command Console to Chassis is on FXOS CLI prompt, go to FTD using the  connect ftd  command The Firepower 1100 does not support the FXOS Firepower Chassis Manager; only a limited CLI is supported for troubleshooting purposes. The Firepower 2100 runs an underlying operating system called the Firepower eXtensible Operating System (FXOS).  If you run ASA on Firepower 2100, ASA can be in the following modes: Appliance mode (the default after ASA 9.13)—Appliance mode lets you configure all settings in the ASA. Only advanced troubleshooting commands are available from the FXOS CLI. See the  FXOS troubleshooting guide  for more information. Firepower Chassis Manager is not supported . ciscoasa# connect fxos [admin] Connecting to fxos. Connected
Read more