FAQs on Failures

Why Are Services Interrupted After the Original Active Firewall Preempts?

Services are normal after the active/standby switchover, but services are interrupted after the active firewall preempts. because the cause might be that the network has not converged or sessions are not completely backed up. Besides, if a switch fails, its interfaces may go up and down repeatedly when the switch restarts. If the firewall preempts during the process, services may be interrupted.

In this case, adjust the preemption delay of the original active firewall.

Why Does Active/Standby Switchover Occurs Repeatedly?

Check service interface status. If the interfaces go up and down repeatedly, active/standby switchover occurs repeatedly. If service interfaces are normal, the constant status change may be caused by different heartbeat intervals on the two firewalls. In this case, change the intervals to the same value.

Why Does Not the Original Active Firewall Preempt After Recovery?

Why Are the Same Configuration Items Arranged in Different Orders in the Configuration Files on the Active and Standby Firewalls?

The fault usually results from inconsistent initial configurations of the two FWs. You need to delete the configuration items in different orders and reconfigure them.

You are advised to configure hot standby based on the default settings.

Why Are the Session Tables on the Active and Standby Firewalls Different?

Check the status of the heartbeat link. If the heartbeat link fails, the sessions on the active firewall cannot be synchronized to the standby FW.

If the automatic session backup function is disabled, the sessions on the two firewalls are different. Even when automatic session backup is enabled, aging session is not synchronized in real time. Only when the aging session thread detects a session and the session needs to be synchronized, the session is synchronized to the standby FW.

What Are the Differences Between Automatic Session Backup and Quick Session Backup? Why Is Quick Session Backup Required in Case of Inconsistent Forward and Return Paths?

If the forward and return paths are different, enable quick session backup to ensure that the sessions on the two firewalls are the same.

Why Does TCP Services Are Interrupted When Quick Session Backup Is Enabled in Case of Inconsistent Forward and Return Paths?

In case of inconsistent forward and return paths, the synchronization may fail or be delayed due to traffic bursts, result in service delay or interruption. For example, one firewall forwards TCP SYN packets, and the other forwards TCP ACK packets. If the session table is not synchronized, ACK packets may be discarded.

If this condition poses great impacts on services, disable stateful inspection on the firewall.

Why Are the Sessions of the Current Active Firewall Marked with Remote After Active/Standby Switchover?

The sessions marked with remote are synchronized from the original active firewall. After active/standby switchover, the synchronized sessions are still marked with remote until the sessions age out.

Why Cannot I Run Commands on the Standby Firewall?

After the active/standby status is set up on the two firewalls, you can run the commands that can be automatically synchronized only on the active firewall, not on the standby firewall.

To manually run these commands on the standby firewall, run the undo hrp auto-sync config command to disable the automatic synchronization function.

Why Are Not Commands Executed on the Active Firewall Synchronized to the Standby Firewall?

If you disable the automatic configuration synchronization function, the configurations are not synchronized. Besides, not all commands can be synchronized. For example, interface and routing configurations cannot be synchronized.

For commands that can be synchronized, see List of Configurations Supporting Backup and Not Supporting Backup.

Why Does the Ping to the Virtual IP Address of the VRRP Group Fail?