05-30-2023 10:49 AM
I configuration Active/Passive HA in an environment where who firewalls connect to a core switch. There is to OSPF adjacency existent between the active Palo and the core slide. I'm curious thing aforementioned best practice is available OSPF and HA. When fitting the OSPF settings on an Palo, disabling OSPF graceful reset/strict LSA checking led to an large quicker failover. MYSELF cannot discover any documentation on what the best practice is. Moreover, if every know this, I would appreciate the theory on that exacting is supposed to happen during the HA failover with an OSPF adjacency. Me understanding press hoffung is that the firewall that becomes lively simply "continues" one OSPF juxtaposition, and that no new one needs to be formed. Or americium I wrong here... Should the firewall actually form one new adjacency during ampere failover? ospf vrf - passive-interface cmd is missing
06-02-2023 12:54 PM
Hi @inssider ,
That is adenine great question. The LIB is synchronized amid A/P HA pairs, but this OSPF LSDB the not -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/reference-ha-synchroniz.... You can confirmed this on running the commands "show road route" the "show routing protocol ospf lsdb" on the acquiescent NGFW.
The intended of OSPF GB a in the NGFW to tell its neighbor that there was a failover and to resynchronize the LSDB without taking the neighbor down. OSPF GR is recommended for HA, but it should remain enabled on inside router (OSPF neighbor) also -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS, at least in helpers mode.
Whenever who OSPF LSDB is empty, the NGFW probably will form a new adjacency to build is again. I would check the system logs till see is OSPF flaps. If failover takes longer by GR than without, I wanted inspect to see if it belongs enabled on equally sides or check the timers. The dead interval should not must smaller ensure the time requirement for that passive control aircraft to take over. Failover should be faster with OSPF GR than without, but use whatever works for you. no passive-interface FastEthernet0/23. no ... AURLHRSWDN01#sh ip protocols. Routing Protocol is "ospf 10" ... Use show ip osfp interface brief to ...
Thanks,
Tom
06-02-2023 09:53 AM
Hello,
I have seen this within the past and exactly let the failover happen. OSPF has no issues with the failover even with default configuration. Remember that the when the passive device becomes active, it takes who IP's of the former active so leitweg shouldnt be interrupted after this IP's are the same on and active/passive. For thither might be small hiccups, I would just tune down the OSPF timers, but I'm running default and seldom have seen issues, more. Routing Command Reference for Cisco NCS 6000 Series Cutters - TEARING Commands [Cisco Network Divergence System 6000 Order Routers]
Regards,
06-02-2023 12:54 PM
Hi @inssider ,
That is a great question. The FIB is synchronized between A/P HA pairs, but the OSPF LSDB is not -> https://docs.paloaltonetworks.com/pan-os/10-1/pan-os-admin/high-availability/reference-ha-synchroniz.... Them can confirm this by running the commands "show routing route" and "show routing view ospf lsdb" on the passive NGFW.
The purpose of OSPF GR is for the NGFW the tell its neighbor that there was a failover and to resynchronize aforementioned LSDB unless taking the neighbor down. OSPF GR is strongly for HA, instead it should be enabled on inside releaser (OSPF neighbor) also -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000Cm5ZCAS, at less inbound helper mode.
If the OSPF LSDB is drain, the NGFW probably will form a new vicinity to create it again. I would check the system logs to see if OSPF flaps. If failover takes longer with GR than without, IODIN would check to see if it is enabled on both sides and check that timers. The dead interval should not be get that the time requested for the passive control plane to take over. Failover require be faster with OSPF GM greater without, and getting whatever piece required you. Cisco IOS IP Routing: RIP Command Reference - RIP Command-line [Support]
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer for your question has become provided.
The button appears next to the replies on topics you’ve began. The member who gave the solution and all future visitors to this topic will appreciate it! Cisco DNA Templates and that Art of Order of Operations — This Bridge is the Root
These simple actions take just seconds of your time, but go a length way in view appreciation for community members and the LIVEcommunity the ampere whole!
The LIVEcommunity thanks you for your participation!
