Saturday, December 15, 2018

Palo Alto firewall - PA-3220 HA1 is Up but HA1 Backup is Down

  • PA-3220 vs. PA-5220 in HA

I have installed both PA-3220s and PA-5220 in HA mode. I can tell that PA-3220 has more issues in HA, whether it is a hardware or software issue. When I upgraded PA-3020s to PA-3220s, I had to submit RMAs twice. 

<No LED on HSCI port>

My new PA-3220 didn't display the HSCI port's LED (no green or red light). However, the HA ports are all up. When I got the second PA-3220, HA2 was not up in HA, even though the HSCI interface is up with no LED.

There was also a software problem.

It happened when I upgraded to PANOS 8.1.5. HA1 Backup went down after upgrading the passive firewall. If you look at the Palo Alto LIVEcommunity bulletin board, you can see that many customers are having this problem. 


Fixed an issue on a PA-3200 Series firewall running PAN-OS 8.1.4 in an HA configuration where the HA1-B (backup) port did not come up as expected.

Even though this issue has been fixed in PAN-OS 8.1.4, it happens from time to time in higher versions.

I found a workaround to bring up the HA1 Backup. I hope this helps someone who wants to bring it up without rebooting the firewall.

Step 1. Change the Port type from ha1-b to management on Active firewall and Commit 

Device -> High Availability -> General > Control link (HA1 Backup)

Step 2. Revert back to the previous configuration with the Port type: ha1-b and Commit.

Please make sure if you put the previous IP address before you did the Step 1.

This workaround should bring up the HA1 Backup.

No comments: