User-ID Agent Status Shows as Red on Secondary Firewall in Active/Active Configuration
35064
Created On 09/25/18 19:36 PM - Last Modified 06/16/20 15:44 PM
Symptom
On the Active-Secondary unit of an Active/Active High Availability (HA) deployment, the User-ID Agents show as "red", indicating they are not connected.
Environment
Any Active/Active High-Availability setup that connects to a User-ID Agent.
Cause
This is expected behaviour.
The Active-Secondary will always show as red unless it becomes the Active-Primary. This is per design in order to both alleviate load from the User-ID Agent and to ensure user IDs are never out of sync.
As stated in the Administrator’s Guide, the User-IP mappings are synchronised from the Active-Primary firewall so that both firewalls are up to date.
Resolution
Basic connectivity from the Active-Secondary towards the agent is still required should the Active-Primary unit fail:
The following command can be used to check connectivity on the Active-Secondary unit.
> show user user-id-agent state <your-id-agent-name>
Once the Secondary becomes Primary it should connect to the agent as shown in the screenshots below:
- Active-Primary before failover:
- Active-Secondary before failover:
- Active-Primary after failover (the new Secondary):
- Active-Secondary after failover (the new Primary):