✅ What is Active-Active HA in Palo Alto?
In Active-Active HA:
🔹 Both firewalls are ACTIVE at the same time
🔹 Traffic is load-shared between both firewalls
🔹 If one firewall fails → the other continues handling traffic
👉 Goal: High performance + High availability
🧠 How Active-Active HA Works (Easy Example)
🖥️ Firewall A = Active
🖥️ Firewall B = Active
Users → Firewall A & Firewall B (both process traffic)
If Firewall A fails:
➡️ Firewall B continues traffic processing
No downtime (if configured correctly).
⚠️ Where Active-Active HA is Used
✅ Data centers
✅ Cloud environments
✅ Large enterprises
❌ NOT recommended for small networks
🚨 Common Issues in Active-Active HA (Real Production Problems)
❌ 1. Session Asymmetry (Most Common Problem)
Cause:
Traffic goes through Firewall A
Return traffic comes through Firewall B
Impact:
Sessions drop
Applications fail
Users complain
❌ 2. Split Brain (Both Firewalls Think They Are Primary)
Cause:
HA1 link failure
Heartbeat lost
Impact:
🔥 Network outage or packet drops
🔥 Duplicate routing
🔥 Traffic loops
❌ 3. Session Sync Failure
Cause:
HA2 link misconfigured
Session synchronization disabled
Impact:
VPN disconnects, web apps reset
❌ 4. Routing Issues
Cause:
Dynamic routing not synchronized
ECMP misconfiguration
Impact:
Traffic blackholes and asymmetric routing
❌ 5. NAT & IP Conflict Issues
Cause:
Same NAT IP on both firewalls
Incorrect NAT sync
Impact:
Websites unreachable, external IP conflicts
🛠️ Troubleshooting Active-Active HA (Step-by-Step)
✅ 1. Check HA Status
show high-availability state
👉 Both should show ACTIVE
✅ 2. Check HA Links
show high-availability all
Verify:
HA1 = Control Link
HA2 = Data Link
✅ 3. Verify Session Synchronization
GUI:
Device → High Availability → General → Session Synchronization
👉 Must be ENABLED
✅ 4. Check ARP and Routing Asymmetry
show session all filter source <ip>
👉 Ensure same firewall handles both directions
✅ 5. Verify Routing Sync
show routing protocol bgp summary
show routing protocol ospf neighbor
👉 Both firewalls must have same routing tables
✅ 6. Check NAT Sync
show high-availability active-active
👉 NAT tables must match
✅ 7. Test Failover Safely
request high-availability state suspend
👉 Test during maintenance window
💡 Best Practices for Active-Active HA
✔ Use symmetric routing (very important)
✔ Use L3 ECMP carefully
✔ Enable session synchronization
✔ Use dedicated HA links (not via switch)
✔ Test failover every 3–6 months
✔ Avoid Active-Active unless required
✔ Monitor HA health alerts
🎯 Final Thought
Active-Active HA is complex and risky.
If designed wrong → it can cause bigger outages than no HA.
👉 Many enterprises prefer Active-Passive for stability.
No comments:
Post a Comment