Salesforce

When does an HA node go into Suspended state due to Non-Functional loop?

« Go Back

Information

 
TitleWhen does an HA node go into Suspended state due to Non-Functional loop?
URL NameHA-Link-Monitoring-Interface-T-60615
Summary
Validation StatusValidated - External
Symptom
One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Non-functional loop.
non-functional loop

The device which has a higher priority and a lower value, moves into this state of suspended (Non-functional loop detected)
HA link monitoring interface triggers an active-passive loop even when cables are not connected

This is slightly different from device moving to suspended due to Preemption loop. Refer: When does an HA node go into Suspended state due to Preemption loop ?


 
Environment
Cause
  • When a link or path monitoring (or both) failure condition is detected, the Active device moves to non-functional state. Refer: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-firewall-states.html
  • The monitoring will take effect even if the cables are not connected and he active firewall will move from active to non-functional.
  • When the active firewall moves to passive the peer firewall, which was previously passive will move to active, and again the link monitoring will take effect. As the cables are not connected/link down the firewall will transition again from active to non-functional and then finally to passive.
  • The node moves into "Suspend" state due to preemption loop if "Maximum number of flaps" are observed.
  • A flap is counted when the firewall leaves the active state within 15 minutes after it last left the active state. 
  • This value indicates the maximum number of flaps that are permitted before the firewall is suspended and the passive firewall takes over (range 0-16, default 3).
  • Maximum number of flaps can be configured as follows:
max-flaps
 
Resolution

 

If the cables are removed the associated link monitoring will never be disabled automatically, as it will defeat the purpose of link monitoring.
Disable link monitoring until the cables are plugged in or never configure link monitoring for the interfaces in which the cables are not plugged in.

If the cables need to be unplugged for any reason, then disable the link monitoring until the cables are plugged in back and HA is stable.

Go to Device > High Availability > Link and Path Monitoring and uncheck Enabled:

disable-link-mon

To make a device move back from suspended state refer:How to Recover HA Pair Member from the Suspended State

Additional Information
Legacy ID60615
Legacy Urlhttp://live.paloaltonetworks.com:80/t5/Management-Articles/HA-Link-Monitoring-Interface-Triggers-an-Active-Passive-Loop/ta-p/60615
Attachment 1 
Attachment 2 
Attachment 3 
Attachment 4 
Attachment 5 
Auto Assistant Signature

Powered by