How to troubleshoot when High-Availability Heartbeat Backup is down

How to troubleshoot when High-Availability Heartbeat Backup is down

19691
Created On 10/11/22 01:59 AM - Last Modified 07/07/23 03:14 AM


Objective


To troubleshoot why heartbeat backup is down in high-availability.

Environment


  • Palo Alto Networks Firewalls in High-Availability
  • PAN-OS 9.1 and 10.1
  • Active/Active or Active/Passive High-Availability
  • Heartbeat Backup is enabled at "Device > High Availability > General > Election Settings"
  • Management interfaces of both the Firewalls can route to each other.

Procedure


  1. When the heartbeat backup link is enabled, split brain is prevented because redundant heartbeats and hello messages are transmitted over the management port.
  2. Heartbeat backupĀ uses port 28771 on the management interface.
  3. If it has been confirmed that the management interfaces of both the Firewalls can route to each other, we can perform a tcpdump on both the Firewalls simultaneously to check for packets on port 28771 :
tcpdump snaplen 0 filter "port 28771"
  1. Once tcpdump has been done on both the Firewalls, the packet captures can be compared to isolate if there is any packet loss.

Additional Information


Recommendation for enabling Heartbeat Backup
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000wlnBCAQ&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail