Let’s break it down in simple terms 👇
✅ What is Active-Passive HA in Palo Alto?
In Active-Passive HA:
One firewall is Active (handles traffic)
One firewall is Passive (standby backup)
If Active fails → Passive becomes Active automatically
👉 Goal: Zero downtime and business continuity
🧠 How Active-Passive HA Works (Easy Example)
🖥️ Firewall A = Active
🖥️ Firewall B = Passive
Users → Firewall A → Internet
If Firewall A crashes:
➡️ Firewall B takes over in milliseconds
No user should notice anything.
⚠️ Common Issues in Active-Passive HA (Real Production Problems)
❌ 1. HA Failover Not Happening
Cause:
HA cables disconnected
Control link down
Heartbeat missing
Impact:
If Active fails → Passive does NOT take over 😱
❌ 2. Split Brain (Both Firewalls Become Active)
Cause:
HA1 link failure
No heartbeat between firewalls
Impact:
Both firewalls think they are Active → Random packet drops or Applications disconnect
❌ 3. Session Loss During Failover
Cause:
Session sync disabled
HA2 link not configured
Impact:
VPN drops, users disconnect, apps restart
❌ 4. Config Mismatch Between Firewalls
Cause:
Manual mis config on Passive
HA sync disabled
Impact:
Policies differ → traffic breaks after failover
❌ 5. ARP / MAC Issues After Failover
Cause:
Gratuitous ARP not sent
Switch cache not updated
Impact:
Traffic still goes to old firewall (dead one)
🛠️ Troubleshooting Active-Passive HA (Step-by-Step)
✅ 1. Check HA Status
show high-availability state
👉 Verify which firewall is Active and Passive
✅ 2. Check HA Links
show high-availability all
Verify:
HA1 (Control Link)
HA2 (Data Link)
✅ 3. Verify Config Sync
show high-availability config-synchronization
👉 Config must be synchronized
✅ 4. Check Session Sync
GUI:
Device → High Availability → General → Session Synchronization
👉 Must be ENABLED
✅ 5. Force Failover Test (Safe Method)
request high-availability state suspend
👉 Active becomes Passive
👉 Passive becomes Active
(Always test during maintenance window)
✅ 6. Check Logs for HA Errors
Monitor → Logs → System
Filter: HA
💡 Best Practices for Palo Alto HA
✔ Dedicated HA cables (not through switch)
✔ Enable Session Sync
✔ Enable Config Sync
✔ Test failover quarterly
✔ Enable Preemption carefully
✔ Monitor HA health alerts
🎯 Final Thought
HA is NOT just a checkbox feature.
If configured wrong, HA itself can cause a network outage.
Every Network Engineer should test HA failover in lab before production.
No comments:
Post a Comment