: Replace PA-7000 Series Firewall NPC in a High Availability (HA) Configuration
Focus
Focus

Replace PA-7000 Series Firewall NPC in a High Availability (HA) Configuration

Table of Contents

Replace PA-7000 Series Firewall NPC in a High Availability (HA) Configuration

When HA is configured on the firewall, the firewall is designed to allow the insertion of new Network Processing Cards (NPCs) without causing a failover. This is accomplished by the system not allowing a new card to come up in one chassis until an NPC is installed in the same slot on the second chassis. The cards stay in a disabled state until you enable both cards simultaneously.
If an NPC fails on one of the chassis, that chassis changes to a non-functional state when in active/passive mode or to a tentative state when in active/active mode. The chassis stays in the failover state until a new NPC is installed and configured or until you remove or disable the matching NPC in the functioning firewall. After the failed card is replaced and enabled, the chassis comes up as passive (in active/passive configuration) or as active-secondary (in an active/active configuration).
To identify the failed NPC, check the LEDs on the NPC or check the system logs. For example, if slot 3 has a failed NPC in one of the chassis, the following error is displayed in the log: Slot3 failure; moving to failure state.
In the following procedure, the first seven steps are the same steps you follow for replacing an NPC in a single chassis. The HA specific steps start at 7. For images on replacing an NPC, see Replace PA-7000 Series Firewall NPC in a Single Chassis.
  1. Verify the status of the NPC that is having a problem. You can do this from the web interface or from the CLI. In the web interface, navigate to NetworkInterfaces to view status for each NPC slot. The system log also shows slot <slot-number>failure; moving to failure state.
    If the NPC failed due to a hardware problem, the status shows Failure. The NPC may also have a configuration problem, in which case you should run the commit force command to force a commit.
    If the firewall with the failed NPC is the active firewall, ensure that you trigger a failover before removing the NPC. For more information, see Failover.
  2. Make note of the cable connections and then loosen the screws on each side of the card that secure the NPC to the chassis.
    Releasing the eject levers on the NPC triggers a micro switch that powers down the card to prepare it for removal. Only release the levers if you intend to remove the card.
  3. Put the provided ESD wrist strap on your wrist ensuring that the metal contact is touching your skin. Then attach (snap) one end of the ground cable to the wrist strap and remove the alligator clip from the banana clip on the other end of the ESD grounding cable. Plug the banana clip end into one of the ESD ports located on the front of the chassis before handling ESD sensitive hardware. For details on the ESD port location, see PA-7050 Front Panel (AC) or PA-7080 Front Panel (AC).
  4. Remove the failed NPC from the chassis.
  5. Remove the replacement NPC from the antistatic bag and slide it into the empty slot, ensuring that the handles are in the open position. When the card is about 1/4-inch from being fully inserted, adjust the levers to align with the chassis and then close the levers to seat the card.
    The small notches located near the hinge of the card levers are used to fully seat the card into the back connector of the slot. To prevent damage, ensure that the notches line up with the chassis so that when you close the levers, the levers fully seat the card into the backplane connectors.
  6. Tighten the screws on each side of the NPC with a Phillips-head screwdriver to secure it to the chassis.
  7. Enable the slots that contain the functioning NPC (in the second chassis) and the NPC that you just replaced.
    admin@PA-7050> request chassis enable slot <slot-number>
    For example, run the following command to enable slot 3 on the firewall:
    admin@PA-7050> request chassis enable slot s3
  8. Power on the slots that contain the functioning NPC (in the second chassis) and the NPC that you just replaced.
    admin@PA-7050> request chassis power-on slot <slot-number>
    For example, run the following command to enable slot 3 on the firewall:
    admin@PA-7050> request chassis power-on slot s3
  9. Insert the network cables that you removed earlier.
    For slot status information and troubleshooting, see the following sections: PA-7000 Series Front Slot States and PA-7000 Series Firewall Network Processing Card (NPC) Troubleshooting Commands.