Secure fabric Active/Inactive switched over when disable controller port on ION at DC site

• DC Site with two ION Devices.
• Both ION devices are connected to the same Branch.
• On DC side, the controller port has same segment/ vlan as the peer with network port.
• Disable controller port is executed on DC site ION1.
• Secure Fabric Link gets switched over to the second ION2 device.
• Active tunnel on ION1 will switch to inactive and the inactive tunnel on ION2 will become active.

dump vpn summary all
VepID　 Circuit-local 　Circuit-Remote　　 Remote-Site. VpnType   Interface  SrcIP   DstIP Status  Active
--1        ---        --（DC-ION1）     (Name of DC)     --       --      --      --      UP      True
--2        ---        --(DC-ION2)      (Name of DC)     --       --      --      --      UP      False

dump vpn summary all
VepID　 Circuit-local 　Circuit-Remote　　 Remote-Site. VpnType Interface SrcIP DstIP Status Active
 --1    ---    --（DC-ION1）     (Name of DC)      --    --            --      --      UP      False
 --2    ---    --(DC-ION2)      (Name of DC)       --    --            --      --      UP      True

• Prisma SD-WAN
• Supported versions
• ION devices

• Controller port is in the same VLAN with the port using to peer with a network.
• If the controller port and the port to peer with network are in the same VLAN, port flap causes issue with BGP peer.
• In such a case when the controller port is disabled, the core peer connectivity is also flaps.
• Since the Core goes down, the active tunnel will switch to inactive.
• Now the inactive tunnel will be switched to active.

1. Keep the Controller Port in a different VLAN than the port using to Peer with the network.
2. Generally keeping all ports in a different VLAN  is suggested.