Passive side interface stays down in HA PA-VM on AWS although passive link state setting "auto"

Passive side interface stays down in HA PA-VM on AWS although passive link state setting "auto"

1517
Created On 04/20/22 09:12 AM - Last Modified 07/30/25 20:51 PM


Symptom


Passive side interface stays down in HA PA-VM on AWS although passive link state setting "auto."

admin@FW1(passive)>
admin@FW1(passive)> show interface all

total configured hardware interfaces: 3
name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    auto/auto/up              06:9e:f3:bc:e5:71
ethernet1/2             17    ukn/ukn/down(autoneg)     06:59:e9:a6:9b:05
ethernet1/3             18    ukn/ukn/down(autoneg)     06:15:49:57:6e:e7

aggregation groups: 0
.......

Environment

Cause


The behavior is normal when using "Dataplane Interface Move" HA.

Resolution


  1. This is normal behavior when Interface move is configured.
  2. In the "Interface Move" HA, the ENIs attached to the Active side PA-VM Instance are moving between Active Firewall and Passive Firewall.
  3. On the passive side FW, the ENIs are being used on the Active side PA-VM, therefore the Interfaces are down.

Additional Information


  • Sometimes the MAC address shows "00:00:00:00:00:00."
  • Because after rebooting the PA-VM instance, ENIs are not attached and MAC address  become "00:00:00:00:00:00."
  • In this situation, once HA failover occurs, the ENIs are moving to the PA-VM instance from the failed side PA-VM instances, then Interfaces are up and MAC addresses are changed.
admin@FW2(passive)> show interface all
total configured hardware interfaces: 3

name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    auto/auto/up              06:05:5f:fc:4f:8b
ethernet1/2             17    ukn/ukn/down(autoneg)     00:00:00:00:00:00
ethernet1/3             18    ukn/ukn/down(autoneg)     00:00:00:00:00:00
......... 

After failover, HA interfaces show the mac address.

admin@FW2(active)show interface all

total configured hardware interfaces: 3

name                    id    speed/duplex/state        mac address
--------------------------------------------------------------------------------
ethernet1/1             16    auto/auto/up              06:05:5f:fc:4f:8b
ethernet1/2             17    auto/auto/up              06:59:e9:a6:9b:05
ethernet1/3             18    auto/auto/up              06:15:49:57:6e:e7 




        
       
      





      

        
        
        

    

    

    

      

        
Other users also viewed:

        

             

               
              

        

    

        

        
        

          
Actions

          
    
           
            
            
            
  • 
                Print
            
    • 
            
  • 
            
    • 
            
  • 
              Copy Link
                
                
    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OBqCAM&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail
    
            
    •