One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Preemption loop

One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Preemption loop

132451
Created On 09/25/18 19:54 PM - Last Modified 10/05/23 23:47 PM


Symptom


  • One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Preemption loop.
suspended (Preemption loop detected)
preemption-loop


Environment


  • Palo Alto Firewalls in High Availability HA configuration.
  • Supported PAN-OS
  • The individual nodes are configured with a priority value and pre-emption enabled to advocate prioritisation of an individual node.
  • Link monitoring OR path monitoring is configured on individual nodes.

 


Cause


The following sequence of events can cause the failure :
  • When a link or path monitoring (or both) failure condition is detected, the Active device moves to non-functional state. Refer: HA-firewall-states
  • When the link/path monitoring is up, the non-functional nodes moves into passive state.
  • Since preemption is enabled in the setup, the passive device, which has a higher priority and a lower value, moves into the active state.
  • If further instances of failure conditions are encountered, such as link OR path monitoring, the active node will keep changing its state from Active > Non-functional > Passive > Active.
  • The node moves into "Suspend" state due to preemption loop if "Maximum number of flaps" are observed.
  • A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state. 
  • This value indicates the maximum number of flaps that are permitted before the firewall is suspended and the passive firewall takes over (range 0-16, default 3).
  • Maximum number of flaps can be configured as follows:
max-flaps


 


Resolution


  1. A node in suspended state can only be made functional (Active or Passive) manually.
  2. Follow steps documented in "How to Recover HA Pair Member from the Suspended State"

Before making the node functional, consider the following recommendations :

  • Investigate and the fix the issue of the interface and/or path monitoring flaps.
  • If the node is made functional in an unstable environment, it will likely move into a suspended state again. 
  • Remove the preempt option from the nodes until the monitoring status is stable.
  • This will help the healthy node retain the Active state, while the node encountering flaps will remain in the non-functional/passive state for investigation.
  • It is advised have to "Passive link state" setting to "Auto". Refer to "What is the Difference between Auto and Shutdown mode for Passive Link?
  1. After following the steps in KB How to Recover HA Pair Member from the Suspended State,  the affected node moves into  "Passive" state and eventually to the "Active" state due to preemption and its high priority.


Additional Information


Flap-Max Timer Setting
  • The flap-max is the number of times a device is allowed to go into a Non-Functional or Tentative state before moving into a Suspended state to keep the devices from flapping.  
  • The flap-max is defaulted to 3 and is cleared on the system after 10 to 20 minutes depending on the kind of loop that is being detected.  
  • A Non-Functional failure counts a "flap" or loop whenever a device goes into a Non-Functional state.  
  • A preemption loop is counted every time a device preempts the other device and on every failure this count is checked against the flap-max. 


Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClhJCAS&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language