During HA failover on PA-400 series firewalls, interface link-up will take a time on the new Active device
2897
Created On 07/12/22 06:09 AM - Last Modified 03/28/25 23:29 PM
Symptom
- Palo Alto 400 Series firewall configured in High Availability mode.
- During HA failover from passive to Active, the interface link up takes a long time.
- This may result in traffic outage.
2022/07/08 10:32:56 high ha state-c 0 HA Group 1: Moved from state Passive to state Active
2022/07/08 10:32:59 info port ethern link-ch 0 Port ethernet1/1: Up auto duplex
2022/07/08 10:33:00 info port ethern link-ch 0 Port ethernet1/1: Up 1Gb/s-full duplex
2022/07/08 10:33:00 info port ethern link-ch 0 Port ethernet1/1: MAC Up
2022/07/08 10:33:02 info port ethern link-ch 0 Port ethernet1/2: Up auto duplex
2022/07/08 10:33:04 info port ethern link-ch 0 Port ethernet1/2: Up 1Gb/s-full duplex
2022/07/08 10:33:05 info port ethern link-ch 0 Port ethernet1/2: MAC Up
2022/07/08 10:33:08 info port ethern link-ch 0 Port ethernet1/3: Up auto duplex
2022/07/08 10:33:09 info port ethern link-ch 0 Port ethernet1/3: Up 1Gb/s-full duplex
2022/07/08 10:33:09 info port ethern link-ch 0 Port ethernet1/3: MAC Up
Environment
- PA-400 series firewalls only
- Active/Passive High Availability environment
- Issue seen during HA failover
- PAN-OS 10.1.x and 10.2.x
Cause
Interface link up unexpectedly takes a long time on internal network chip on PA-400 series firewalls.
Resolution
- PAN-181968 - (PA-400 Series firewalls in active/passive HA configurations only) Fixed an issue where, when HA failover occurred, link up on all ports took longer than expected, which caused traffic outages.