Firewall Stuck in Initial (Leaving Suspended State)

Firewall Stuck in Initial (Leaving Suspended State)

55808
Created On 04/13/19 04:54 AM - Last Modified 04/15/19 21:29 PM


Symptom


  • Firewalls in active/passive HA setup
  • To perform failover test, one of the firewalls was suspended
  • Failover was successful, but when making the suspended firewall functional again, it is stuck in Initial (Leaving suspended state)

Firewall FW1: Active
Firewall FW2: Initial (Leaving suspended state) 

Firewall FW1:
User-added image

Firewall FW2:
User-added image

Firewall FW2 ha_agent.log when make FW2 functional: 
2019-04-12 21:42:03.311 -0700 Group 9 State is going from Suspended to Initial
2019-04-12 21:42:03.311 -0700 Group 9: User request to move group to Initial state
2019-04-12 21:42:03.311 -0700 debug: ha_state_move(src/ha_state.c:1516): Group 9: moving from state Suspended to Initial
2019-04-12 21:42:03.311 -0700 HA Group 9: moved from state Suspended to state Initial (0)
2019-04-12 21:42:03.312 -0700 debug: ha_sysd_dev_state_update(src/ha_sysd.c:1431): Set dev state to Initial
2019-04-12 21:42:03.312 -0700 debug: ha_state_move_action(src/ha_state.c:1331): No state transition script available on current platform
2019-04-12 21:42:03.312 -0700 debug: ha_state_clear_monitor_log_history(src/ha_state.c:3893): Clearing all monitoring log history
2019-04-12 21:42:03.312 -0700 debug: ha_state_transition(src/ha_state.c:1420): Group 9: transition to state Passive
2019-04-12 21:42:03.312 -0700 debug: ha_state_start_rt_sync_hold(src/ha_state.c:2200): Group 9: starting runtime state sync hold (3600)
2019-04-12 21:42:03.316 -0700 debug: sysd_queue_wr_event_add(sysd_queue.c:915): QUEUE: queue write event already added
2019-04-12 21:42:03.354 -0700 debug: ha_rts_sysd_dp_state_notify_cb(src/ha_rts.c:1306): RTS slot 1 (dp0) Initial state
2019-04-12 21:42:03.354 -0700 debug: ha_rts_local_update(src/ha_rts.c:171): Group 9: called to set local status HA2-unavailable, new local status Unknown, force yes
2019-04-12 21:42:07.137 -0700 debug: ha_peer_recv_hello(src/ha_peer.c:5227): Group 9 (HA1-MAIN): Receiving hello message

 

Environment


  • Firewall running in active/passive HA
  • HA1 and HA2 configured
  • HA1-backup and HA2-backup are not configured

Cause


This happens when the data link (e.g., HA2-backup) is not configured and HA2 is down.

Resolution


Depending on the situation, you can choose any one of the following:

Solution:
Fix the HA2 connectivity and, as soon as HA2 is up, the firewall will change its state from initial (Leaving suspended state) to passive.
Additionally, wait for the runtime state sync hold to end, and it will change its state to passive automatically, even when the data Link is down.

Workaround
Temporarily uncheck Enable Session Synchronization and commit the changes on FW2. Right after that, FW2 should come up as passive. Then go ahead and enable session synchronization back and work on fixing HA2 connectivity.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcsArticleDetail?id=kA10g000000PLZe&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcsArticleDetail

Choose Language