HA Firewall States
An HA firewall can be in one of the following states:
HA Firewall State
A/P or A/A
Transient state of a firewall when it joins the HA pair. The firewall remains in this state after boot-up until it discovers a peer and negotiations begins. After a timeout, the firewall becomes active if HA negotiation has not started.
State of the active firewall in an active/passive configuration.
State of the passive firewall in an active/passive configuration. The passive firewall is ready to become the active firewall with no disruption to the network. Although the passive firewall is not processing other traffic:
In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server and DHCP relay, and matches NAT and PBF rules with the Device ID of the active-primary firewall. A firewall in this state can own sessions and set up sessions.
In an active/active configuration, state of the firewall that connects to User-ID agents, runs DHCP server, and matches NAT and PBF rules with the Device ID of the active-secondary firewall. A firewall in active-secondary state does not support DHCP relay. A firewall in this state can own sessions and set up sessions.
State of a firewall (in an active/active configuration) caused by one of the following:
A firewall in tentative state synchronizes sessions and configurations from the peer.
After the failed path or link clears or as a failed firewall transitions from tentative state to active-secondary state, the
Tentative Hold Timeis triggered and routing convergence occurs. The firewall attempts to build routing adjacencies and populate its route table before processing any packets. Without this timer, the recovering firewall would enter active-secondary state immediately and would blackhole packets because it would not have the necessary routes.
When a firewall leaves suspended state, it goes into tentative state for the
Tentative Hold Timeafter links are up and able to process incoming packets.
Tentative Hold Time range (sec)can be disabled (which is 0 seconds) or in the range 10-600; default is 60.
A/P or A/A
Error state due to a dataplane failure or a configuration mismatch, such as only one firewall configured for packet forwarding, VR sync or QoS sync.
In active/passive mode, all of the causes listed for Tentative state cause non-functional state.
A/P or A/A
The device is disabled so won’t pass data traffic and although HA communications still occur, the device doesn’t participate in the HA election process. It can’t move to an HA functional state without user intervention.
Recommended For You
Recommended videos not found.