Replace a PA-5450 Front Slot Card in a High Availability (HA) Configuration
Table of Contents
Replace a PA-5450 Front Slot Card in a High Availability (HA) Configuration
Remove and install a Networking Card or Data Processing
Card from the PA-5450 firewall without putting your High Availability
setup at risk.
When High Availability (HA) is configured
on the firewall, you must take additional steps to remove and install
a Networking Card (NC) or Data Processing Card (DPC). Although it
is possible to hot-swap the front slot cards, following the procedure
outlined below will prevent slot or device failures in a live HA
deployment.
In an HA configuration, you must install the NCs and
DPCs in each chassis in corresponding slots. For example, after installing two
NCs (one in each firewall), the firewall keeps them in a disabled state until
you enable them. This allows the firewall to start HA monitoring on each NC at
the same time.
- To insert a new pair of NCs or DPCs into an HA pair:
- Insert a card into the same numbered slot in both devices.Verify that the cards are powered on by issuing the following command:
show chassis status
If the slot is in the Admin-power-down state, then issue the following command on both devices to power on the slots:request chassis admin-power-on slot <slot-number> target local-device
Change the distribution policy mode on each device:set session distribution-policy session-load
Confirm that both devices are in the correct state with the following commands:show chassis status
show session distribution policy
show high-availability all
Issue the following command to allow traffic to flow through the slot on both devices:request chassis enable slot <slot-number> target ha-pair
To remove a pair of NCs or DPCs from an HA pair:- Disable HA on the HA pair.On the device whose front slot card you want to remove, issue the following command where X is the slot and Y is the amount of time to allow the slot to power down gracefully:
request chassis admin-power-off slot X Y
Once both slots are powered off, remove the cards from both devices.Issue the following command after the slots are removed to make sure future slots will power up when they are added:request chassis admin-power-on slot X
If a slot fails in a running HA pair, it will take the device that sees the failure into a Non-Functional or Tentative state. To bring the two devices back up:- On the device whose front slot card you want to remove, issue the following command where X is the slot. The down device should move into a functional state.
request chassis admin-power-off slot X
Executing this command will power off the given slot. Do you want to continue? (y or n)
Remove the failed card from its slot.Prepare to return the failed card. The non-failed card on the other device can be left in an AdminPowerOff state until you receive a replacement card.To install a replacement of the failed card:- When you receive the replacement NC or DPC, insert it into the device that needs the replacement card. Ensure that the slot it is inserted into corresponds to the slot of the functioning card in the paired device.Verify that the card is powered on by issuing the following command:
show chassis status
If the slot is in the Admin-power-down state, then issue the following command on both devices to power on the slots:request chassis admin-power-on slot <slot-number> target local-device
Change the distribution policy mode:set session distribution-policy session-load
Confirm that both devices are in the correct state with the following commands:show chassis status
show session distribution policy
show high-availability all
Once the slot moves into a Disable state, issue the following command and the slot will allow traffic to start flowing to the slot:request chassis enable slot <slot-number>
