Why is Static Route with Path Monitoring Enabled not removed from the FIB table after failover?
7718
Created On 08/15/21 16:34 PM - Last Modified 08/27/21 16:14 PM
Question
Why is Static Route with Path Monitoring Enabled not removed from the FIB table after failover?
Environment
- PANOS versions: 8.1.x, 9.0.x, 9.1.x, 10.0.x, 10.1.x
- Active/Passive High Availability
- OSPF Graceful Restart Enabled
- Static Route with Path Monitoring Enabled
Answer
After High Availability failover, the Firewall which took over as Active reestablishes peering with the OSPF neighbors and based on the "Grace Period" and blocks the FIB updates. Only when all the peers are established and Link State Database (LSDB) exchanged, FIB updates are enabled. This behavior is by design as unsupported scenario when OSPF Graceful Restart is enabled on Active/Passive HA setup.
Additional Information
- Path Monitoring Status:
pan-admin@firewall(active)> show routing path-monitor virtual-router VR flags: A:active, S:static, E:ecmp VIRTUAL ROUTER: VR (id 2) ========== destination nexthop metric weight flags interface pathmonitor status 0.0.0.0/0 2xx.x.xx.xx 10 S ae3.602 Enabled(All) Down |--> monitored-IP interval/count state 8.8.8.8 18/10 Failed
- FIB table:
pan-admin@firewall(active)> show routing fib virtual-router VR total virtual-router shown : 1 -------------------------------------------------------------------------------- virtual-router name: VR interfaces: ae3.602 id destination nexthop flags interface mtu -------------------------------------------------------------------------------- 435 0.0.0.0/0 2xx.xx.xx.xx ug ae3.602 1500
- System Log:
2021/06/29 16:22:35 info routing VR routed- 0 OSPF started graceful restart.Protocol: OSPFv2. Restart type: unplanned 2021/06/29 16:22:35 info routing routed- 0 FIB HA sync started when local device becomes master. 2021/06/29 16:22:35 high ha state-c 0 HA Group 2: Moved from state Passive to state Active