HA Condition - Link Monitor Recovery - Time to retake Active Link Monitor role

Hello Community, how is everything going, I hope it's going well.

I have the following questions regarding HA.

Details of the environment.

Active - Passive A/P

Main - PA-52XX-01-HA - Priority 50

Secondary - PA-52XX-02-HA - Priority 100

Preemtive active

Link State Passive - Auto

Link monitor interfaces eth1/1 - eth1/2 - eth1/3 - eth1/4 - in VWIRE mode ( If "any" fails apply failover ).

We understand that when there is a restart of the PA-01 firewall, priority 50, the role is assumed by the PA-02, after the main firewall restarts, because of the preemtive value, it waits for 1 minute and takes control again.

Now I have the following doubt, I will describe the specific situation:

PA-01 active, two interfaces fail - PA-02 assumes active role ---- Operates a few minutes on Secondary PA-02 with active role all good. It recovers from the failure condition of the two interfaces. How long does it take to assume the role again, once it has recovered from the failure condition? I understand it is immediately under the Promotion Hold Time (ms) timer 2000/500 ms.

Now if it is 1 minute, is it possible to recover the role immediately, when it comes back and the Link Monitor failure condition is restored ??

Detail Doc PA Timers:

Promotion Hold Time (ms)

Time that the passive firewall (in active/passive mode) or the active-secondary firewall (in active/active mode) will wait before taking over as the active or active-primary firewall after communications with the HA peer have been lost. This hold time will begin only after the peer failure declaration has been made.

2000/500.

Preemption Hold Time (min)

Time that a passive or active-secondary firewall will wait before taking over as the active or active-primary firewall.

1/1

Thank you very much for your kindness, cooperation and your time.

I remain attentive

Best regards

Comments (3)

Reaper

May 10

The promotion hold time will have the passive device wait for an amput of time before becoming active after the active encountered a links state failure. This timer can be increased in case it is expected that the primary may have micro interruptions and you don't want it to trigger a failover immediately

The preempt hold timer let's the primary wait before becoming active again due to preempt being enabled (so it doesn't fail back immediately when it comes back as operational, but holds a bit in case the primary has another failure)

MetgatzGR

May 20

Replying to

Hi, thanks master @Reaper , but that means that in case the main firewall recovers its failure condition, if or if it will wait 1 minutes, that value is not adjustable to less but can only be increased but not added.

That is if the secondary block does not trigger a failure, the main firewall will wait about 1 minutes to resume the correct active role ? that is, it recovers its failure condition, for example an interface, will wait 1 minutes and regain control ?

Thank you master for your time, tips, comments and collaboration.

Correct, it will hold for at least 1 minute