Path Monitoring is incorrectly displaying a status of 'up' in an Active/Active HA deployment, even when the firewall cannot reach the monitored IP address.
1787
Created On 07/22/24 17:11 PM - Last Modified 11/05/25 22:22 PM
Symptom
- Path monitor shows as "up" even when routes to the destination IP (8.8.8.8) are removed.
- No HA status change to Active-Secondary despite the inability to reach the monitored IP address.
- Example scenario: Disabling the BGP peer or removing static routes on the firewall removes the default route to the destination IP but the path monitor still shows "up."
(active-primary)> show high-availability all
Path Monitoring Information:
Enabled: yes
Failure condition: any
Virtual-Router name: LR-FW
Enabled: yes
Failure condition: any
Ping Interval: 200 ms
Ping Count: 10
Destination Group: PING
Enabled: yes
Failure condition: any
Destination IP Address: 8.8.8.8: up
<===============
Configuration Synchronization:
Enabled: yes
Running Configuration: synchronized
> test advanced-routing fib-lookup ip 8.8.8.8 logical-router LR-FW
--------------------------------------------------------------------------------
runtime route lookup
--------------------------------------------------------------------------------
logical-router: LR-FW
destination: 8.8.8.8
result:
route not found <=====================
Environment
- Palo Alto Firewall.
- PAN-OS 8.1 and above.
- High Availablity in Active-Active mode.
- Advanced Routing
Cause
The wrong slot is set when there is no ARP or route.
Resolution
The issue will be fixed in PAN-OS versions 11.2.5 and 11.1.5. Upgrading these versions will resolve the path monitoring malfunction in Active/Active HA deployments.
Additional Information