Impact on traffic for high-availability active-passive port failure

Impact on traffic for high-availability active-passive port failure

2308
Created On 03/03/20 10:29 AM - Last Modified 02/05/25 21:12 PM


Question


What is the impact on the traffic when a High-Availability (HA) port get a failure?

Environment


  • PAN-OS
  • High-Availability
  • Active-Passive mode

Answer


The table showing the impact what happened when HA port(s) get down.
 
Table showing the different HA port failures impact
HA1HA1-BHA2HA2-BFW1(active)FW2(passive)System log messagesImpact on network traffic
DOWNUPUPUPactivepassive
  • HA1 connection down
  • Control Link running on HA1-Backup connection
No impact
UPDOWNUPUPactivepassive
  • HA1-Backup peer link down
  • HA1-Backup link down
  • HA1-Backup connection down
No impact
UPUPDOWNUPactivepassive
  • HA2 link down
  • HA2 peer link down
  • Local HA2 keep-alive down
  • HA2-Backup link up
No impact
UPUPUPDOWNactivepassive
  • HA2-Backup keep-alive down
  • HA2-Backup peer link down
  • HA2-Backup link down
No impact
DOWNDOWNUPUPactiveactive
  • All HA1 links down
  • All HA1 connections down
  • HA1 link down
  • HA1-Backup peer link down
  • HA1-Backup link down
  • (on FW2) Moved from state Passive to state Active
  • (post incident) Staying in Active state after split-brain recovery
  • New TCP sessions experience the split brain : connection success  is random
  • ICMP PING flow normally
  • Current TCP sessions not interrupted
  • When the ports are recovered, the HA pair still need to stabilize (not immediate)
DOWNUPDOWNUPactivepassive
  • HA1 connection down
  • HA1 peer link down
  • HA2 link down
  • HA2 peer link down
  • Control Link running on HA1-Backup connection
  • Local HA2 keep-alive down
No impact
DOWNUPUPDOWNactivepassive
  • HA1 link down
  • HA1 connection down
  • HA1 peer link down
  • Control link running on HA-1 Backup
  • Local HA2-Backup keep-alive down
  • HA2-Backup link down
  • HA2-Backup peer link down
No impact
UPDOWNDOWNUPactivepassive
  • HA1-Backup link down
  • HA1-Backup peer link down
  • HA1-Backup connection down
  • HA2 link down
  • HA2 peer link down
  • Local HA2 keep-alive down
No impact
UPDOWNUPDOWNactivepassive
  • HA1-Backup link down
  • HA1-Backup peer link down
  • HA1-Backup connection down
  • HA2-Backup link down
  • HA2-Backup peer link down
  • Local HA2-Backup keep-alive down
No impact

Additional Information


Test performed on 2 PA-3050
PAN-OS 9.0.6
Passive state : shutdown
HA encryption disabled
Heatbeat Backup disabled
HA2 Kepp-alive enabled - action set to Log Only

"Heartbeat Backup" can prevent a split brain when both HA1 links are down.

Related KB articles
DotW: What is Peer-Split-Brain?
How To Avoid HA Split-Brain due to Missed Heartbeats

Reference
PAN-OS Administrator guide
HA links and backup links
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POukCAG&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail