Troubleshooting - High availability
Troubleshoot HA issues.
Dedicated port failure
If the dedicated port or cable fails, both devices become standalone primary devices and send gratuitous ARP requests (GARPs) to the network switch to take ownership of the virtual MAC address (VMAC). This will likely result in routing issues.
In this scenario, shut down one of the devices and repair the link (assuming it's not the interface itself). Start the device, it detects the primary and takes on the role of the auxiliary.
The example log file entries below show the status change you see when the dedicated link goes down.
Log example on the primary device:
Log example on the auxiliary device:
Validation Failed For Ha interface IP
If the administration ports of both devices aren't in the same subnet, validation fails, and the following error message appears in /log/syslog.log
on the primary device.
Validation Failed For Ha interface IP
Defective interface or cable
To verify if a defective interface or cable is causing a failover, review the port status.
On the Advanced shell, enter the following command: dmesg | grep PortE
If the port goes up and down, check and correct the speed and duplex settings on both sides of the connection.
You can also do the following:
- Check for packet drops, errors, and collisions on the interface using ifconfig or show network interfaces commands. See Command line help.
- Try replacing the cable.
1U XGS series firewalls unable to establish HA when using FleXi Port as dedicated HA link
This issue affects only 1U devices using a FleXi Port as the dedicated HA link. When the first device updates and restarts, the interface speed for the FleXi Port isn't set to auto negotiation. The second device continues to have its interface speed set to auto negotiation and HA is not established.
To resolve this issue, do as follows:
- On both devices, go to Network > Interfaces.
- Click the Flexi Port interface and go to Advanced settings.
- Set the Interface speed for the FleXi Port to Auto negotiation.
Alternatively, you can set a fixed port as the dedicated HA port.
The 1U devices are as follows:
- XGS 2100, 2300, 3100, 3300, 4300, and 4500
- XG 210, 230, 310, 330, 430, and 450
HA could not be enabled
When you configure HA (active-passive) on the primary device, the error message HA could not be enabled
is shown when the dedicated HA link isn't connected or the auxiliary firewall isn't reachable.
To resolve this issue, do as follows:
- Make sure an Ethernet cable or switch connects the dedicated HA link interface of both devices.
- On both devices, go to Network > Interfaces and check if the port shows Connected status.
- On the primary device, go to Diagnostics > Tools and use the ping tool to check if you can ping the auxiliary's dedicated HA link port.