High-Availability - HA links status

High-Availability - HA links status

54413
Created On 04/26/22 16:46 PM - Last Modified 08/23/23 22:28 PM


Symptom


  • Detection of a link failure of one of the HA links between the firewalls in HA setup.
  • Display of HA links status by the firewall Dashboard or by the Strata Cloud Manager HA links status graph for firewalls with Strata Cloud Manager subscription.

Environment


  • PAN-OS

Cause


If one of the HA links: HA1 link, HA2 link, HA backup links or HA3 link (in case of active-active) is down, then a firewall system log message is generated and the Strata Cloud Manager HA links status alert is triggered.

Resolution


  1. Use the information in the firewall Dashboard > Widgets - High Availability or in the Strata Cloud Manager Alert HA links status graph to detect which HA link is down if any.
  2. If HA1 link is down and there is no configured HA1 backup link or if HA1 link is down and HA1 backup link is configured but also down then stabilize your HA setup by suspending the "passive" firewall in A/P setup and the "active secondary" in A/A setup to avoid "split brain" problem this can be done under Device > High Availability > Operational Commands by clicking on "Suspend local device for high availability" then proceed with troubleshooting HA1 link down.
  3. Review the document HA Ports on Palo Alto Networks Firewalls to check the recommendation of which ports to use for HA based on each device module and verify that recommendation has been followed. For A/P setup check the KB article HA ACTIVE/PASSIVE BEST PRACTICES.
  4. If an HA link is down trace the physical cable and troubleshoot Layer 1 using KB article HOW TO TROUBLESHOOT PHYSICAL PORT FLAP OR LINK DOWN ISSUE.
  5. If a dataplane port is used for an HA link and a transceiver is inserted ensure that the transceiver is one of the currently supported transceivers by Palo Alto Networks as explained in KB article HOW TO CONFIRM IF YOUR SFP TRANSCEIVER IS SUPPORTED BY PALO ALTO NETWORKS FIREWALL.
  6. If physical layer is checked troubleshoot layer 2 and switch configuration if a switch is connecting the HA links.
  7. If dataplane layer is checked troubleshoot layer 3 and router configuration if a router is connecting the HA links.
  8. If layer 1, 2 and 3 are checked, then make sure the right udp or tcp ports are allowed between HA links based on the information in the document HA Links and Backup Links and check KB article WHICH PORTS NEED TO BE OPENED FOR PAN-OS IN HA TO SYNC AND COMMUNICATE?
  9. If all the above is checked and encryption is enabled on the HA link, then check if disabling encryption on both firewall in HA for that link fixes the issue. If having issue with the encryption keys or simply want to renew them, use the recommendation in KB article HOW TO ENABLE ENCRYPTION ON HA1 IN HIGH AVAILABILITY CONFIGURATIONS.
Note: Whenever possible, connect HA ports directly between the two firewalls in an HA pair (not through a switch or router) to avoid HA links and communications problems that could occur if there is a network issue.

Additional Information


For more information about HA timers check HA timers document.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004OKTCA2&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language