One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Preemption loop
142940
Created On 09/25/18 19:54 PM - Last Modified 10/05/23 23:47 PM
Symptom
- One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Preemption loop.
suspended (Preemption loop detected)
- The device which has a higher priority and a lower value, moves into this state of suspended (Preemption loop detected)
- This is slightly different from device going to suspended state due to non-functional loop. Refer to "When does an HA node go into Suspended state due to Non-Functional loop
Environment
- Palo Alto Firewalls in High Availability HA configuration.
- Supported PAN-OS
- The individual nodes are configured with a priority value and pre-emption enabled to advocate prioritisation of an individual node.
- Link monitoring OR path monitoring is configured on individual nodes.
Cause
The following sequence of events can cause the failure :
- When a link or path monitoring (or both) failure condition is detected, the Active device moves to non-functional state. Refer: HA-firewall-states
- When the link/path monitoring is up, the non-functional nodes moves into passive state.
- Since preemption is enabled in the setup, the passive device, which has a higher priority and a lower value, moves into the active state.
- If further instances of failure conditions are encountered, such as link OR path monitoring, the active node will keep changing its state from Active > Non-functional > Passive > Active.
- The node moves into "Suspend" state due to preemption loop if "Maximum number of flaps" are observed.
- A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state.
- This value indicates the maximum number of flaps that are permitted before the firewall is suspended and the passive firewall takes over (range 0-16, default 3).
- Maximum number of flaps can be configured as follows:
Resolution
Additional Information
Flap-Max Timer Setting
- The flap-max is the number of times a device is allowed to go into a Non-Functional or Tentative state before moving into a Suspended state to keep the devices from flapping.
- The flap-max is defaulted to 3 and is cleared on the system after 10 to 20 minutes depending on the kind of loop that is being detected.
- A Non-Functional failure counts a "flap" or loop whenever a device goes into a Non-Functional state.
- A preemption loop is counted every time a device preempts the other device and on every failure this count is checked against the flap-max.