User-ID Agent Status Shows as Red on Secondary Firewall in Active/Active Configuration

User-ID Agent Status Shows as Red on Secondary Firewall in Active/Active Configuration

21990
Created On 09/25/18 19:36 PM - Last Modified 06/16/20 15:44 PM


Symptom
On the Active-Secondary unit of an Active/Active High Availability (HA) deployment, the User-ID Agents show as "red", indicating they are not connected.

Environment
Any Active/Active High-Availability setup that connects to a User-ID Agent.

Cause
This is expected behaviour.

The Active-Secondary will always show as red unless it becomes the Active-Primary. This is per design in order to both alleviate load from the User-ID Agent and to ensure user IDs are never out of sync.
As stated in the Administrator’s Guide, the User-IP mappings are synchronised from the Active-Primary firewall so that both firewalls are up to date.


Resolution

Basic connectivity from the Active-Secondary towards the agent is still required should the Active-Primary unit fail:

The following command can be used to check connectivity on the Active-Secondary unit.
> show user user-id-agent state <your-id-agent-name>

Once the Secondary becomes Primary it should connect to the agent as shown in the screenshots below:

- Active-Primary before failover:
Active-Primary before failover

- Active-Secondary before failover:
Active-Secondary before failover


- Active-Primary after failover (the new Secondary):
Active-Primary after failover (the new Secondary)

- Active-Secondary after failover (the new Primary):
Active-Secondary after failover (the new Primary)



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kCSArticleDetail?id=kA10g000000ClZq&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkCSArticleDetail

Attachments
Choose Language