Why is heartbeat backup showing as down after HA1 and HA1 Backup cables are removed and one of the HA members is rebooted?

Why is heartbeat backup showing as down after HA1 and HA1 Backup cables are removed and one of the HA members is rebooted?

• Palo Alto Firewalls
• Supported PAN-OS
• High Availability (HA) Active/Passive

1. This is expected behavior. For the heartbeat backup link to be up, the devices need HA1 or HA1 Backup connection up and running in order to exchange the management IP information. Also, as per documentation, both HA members should be able to reach each other through management interfaces on tcp port 28771.
2. Under normal conditions, information should look as below:

3. Once this information has been exchanged and if both HA links fail, heartbeat backup will be used for heartbeat and hello messages, preventing split brain scenario. In this scenario, status should look as below:

4. However, if one of the members is rebooted this information will be lost, and if HA1 and HA1 Backup connectivity is not restored, firewall devices will not be able to connect to each other, triggering split brain event. After the reboot in this scenario, status should look as below:

5. This will also happen if cables are removed and ha_agent process is restarted on one of the devices.

In a different scenario, the heartbeat backup link can also show as down if the peer ip address is not included in the permit list of the management interface, as explained in this link:

HA communications.

Heartbeat backup recommendations and guidelines for Active/Passive HA.