When does an HA node go into Suspended state due to Tentative loop?

When does an HA node go into Suspended state due to Tentative loop?

9826
Created On 10/02/23 17:07 PM - Last Modified 11/18/24 22:46 PM


Symptom


One of the firewalls in a High Availability pair (HA) A/A moves into the "suspended" state due to Tentative loop. This can be detected in the system logs: 
critical ha non-fun 0 HA Group 1: Going to Suspended state due to detection of a Tentative loop after 3 loops allowed

and the final state reason in the output of the CLI command "show high-availability all" will show:

State Reason: Non-functional loop detected


Environment


  • Palo Alto Firewalls
  • Supported PAN-OS
  • High Availability (HA)
  • Active - Active configuration
  • Link monitoring OR path monitoring is configured on individual nodes

Cause


A firewall in HA A/A moves into a Tentative state because of one of the below reasons:

  • Failure of a firewall. (Exception failure related to Error state due to a dataplane failure or a configuration mismatch, such as only one firewall configured for packet forwarding, VR sync or QoS sync.)
  • Failure of a monitored object (a link or path).
  • The firewall leaves suspended or non-functional state.

Resolution


  1. Properly address the reason behind the firewall leaving its active state.
  2. If the firewall is in a healthy state and the reason is related to HA Link and Path Monitoring, then verify that configuration under Device > High Availability > Link and Path Monitoring
  3. Follow the steps of How to Recover HA Pair Member from the Suspended State.

Additional Information


For more information about Tentative State refer to the HA firewall states document.
Check When does an HA node go into Suspended state due to Non-Functional loop? and note that in active/passive mode, all the causes listed for the Tentative state result in a non-functional state. It's important to clarify that the Tentative state is specific to active/active firewall setups only.

Flap-Max Timer Setting
The flap-max is the number of times a device is allowed to go into a Non-Functional or Tentative state before moving into a Suspended state to keep the devices from flapping.  The flap-max is defaulted to 3 and is cleared on the system after 10 to 20 minutes depending on the kind of loop that is being detected.  A Non-Functional failure counts a "flap" or loop whenever a device goes into a Non-Functional state.  A preemption loop is counted every time a device preempts the other device and on every failure this count is checked against the flap-max. 

Note: If the HA firewall in a pair transitions between the HA tentative and HA active states, you will observe an increase of 1 in the "Non-functional states" flap counter.

admin@PA3250-2(tentative)> show high-availability flap-statistics

Group 11:
Mode: Active-Active
Flap Statistics:
Preemptions since flap counter reset : 0
Non-functional states since flap counter reset : 1
Maximum flaps allowed before suspending device : 3

 

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XgjgCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language