An administrator is seeing one of the firewalls in a HA active/passive pair moved to "suspended" state due to Non-functional loop. Which three actions will help the administrator resolve this issue? (Choose three.)
A.
Check the HA Link Monitoring interface cables.
B.
Check High Availability > Active/Passive Settings > Passive Link State
C.
Check the High Availability > Link and Path Monitoring settings.
D.
Check the High Availability > HA Communications > Packet Forwarding settings.
E.
Use the CLI command show high-availability flap-statistics
Guys, I've checked all the answers. If we see quickly, we identify 4 coorect answers: ABCE. If we pay more attention, we'll fond that B is false. In fact, the link High Availability > Active/Passive Settings > Passive Link State doesn't exist on PAN. The correct link is High Availability > General > Active/Passive Settings > Passive Link State
"B" is the trap on this question.
High Availability > Active/Passive Settings > Passive Link State does exist. Technically its Device > High Availability > Active/Passive Settings > Passive Link State. Device is left off all these answers so I imagine it's supposed to be assumed.
It´s right that High Availability > Active/Passive Settings > Passive Link State does exist.
The correct path is Device > High Availability > GENERAL> Active/Passive Settings > Passive Link State.
So B is wrong.
If we consider "General" to be a mistake in the question then answer is A,C,E
High Availability > Active/Passive Settings > Passive Link State doesn't exist on PAN.
"A is explicitly mentioned in these links" Except is not. "Monitored links" refer to interface monitoring that is used as a condition for failover, not the actual HA interfaces you're using to form you HA A/P cluster. HA interfaces being disconnected will give you other errors. Besides, there's no such thing as "HA link monitoring cables".
Since the non-func loop happens when the monitored interface is disconnected on the passive fw, B and C will help you troubleshoot and solve. E will too since it will help you determine if flapping happened.
It is kind of ambiguous, but I think C would not help diagnose the issue, it may be something you could use to solve it after you know what the problem was, but to know that your first need to (E) to confirm that the non-functional loop was triggered due to max flaps, then (B) to confirm that the cause was that the passive link state was set to shutdown and then (A) to check if the cables were connected correctly, which most likely they were not.
Only then you may (C) to disable the link and path monitoring if you intentionally needed to disconnect the cables and only re-enable it once you are done with those L1 changes. Otherwise, when you perform (c) you just connect the cables correctly and you have solved the issue. Finally, you manually startup the HA again on the Firewall.
Maybe it could be argued that the answer is ABC and you don't even need to do E because you pretty much already know what the problem was when you see the "suspended (Non-functional loop)" next to your Active FW in the HA widget, but oh well, one more ambiguous question for the choose-at-random list.
Check the HA Link Monitoring interface cables. This is because the interface cables may be loose or disconnected, causing a non-functional loop1.
Check High Availability > Active/Passive Settings > Passive Link State. This is because the passive link state may be incorrect or inconsistent, causing a non-functional loop1.
Use the CLI command show high-availability flap-statistics. This is because this command can display information about the interface and path monitoring flaps, which may indicate a non-functional loop1.
It's BCE.
A - NO. There is no such thing as "HA Link monitoring cables". These are data interfaces we are talking about.
B - YES. If passive link state is "shutdown" then it brings link down when the firewall becomes passive, which makes the path monitoring fail because the link is down. That is one reason why it's better to set the passive link state to "auto" instead of "shutdown".
C - YES. Link and path monitoring settings are where you tell the fw to monitor the ink state of the port, and also specify a destination IP to ping.
D - NO. These settings would be for an active/active config, to use HA3.
E - YES. This command shows you how many times the fw has flapped.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClgVCAS
I'm going with ABC.
A and C are explicitly mentioned in the link below:
https://knowledgebase.paloaltonetworks.com/articles/en_US/Knowledge/HA-Link-Monitoring-Interface-T-60615
D doesnt apply to this.
As for B, If the passive link state is set to shutdown, I can imagine the link would be down and so the link and path monitoring would fail, thus causing this issue. This is mentioned as a cause of a preemption loop, which is slightly different (https://knowledgebase.paloaltonetworks.com/articles/en_US/Knowledge/When-does-an-HA-node-go-into-S-67706). This is not mentioned as a cause of our issue, though.
E would help identify that flapping has occurred, but it wont help with recovery. Also, it's already obvious that it's occurring because the HA pair is saying it's in a suspended state due to Non-functional loop.
Correction: it's ACE. This issue is caused by Link and Path Monitoring settings monitoring interfaces that are down, which only happens on the active unit. Active comes up, links are down, it moves to passive... new active comes up, links are also down for that unit, it moves to passive. Eventually this flapping triggers a suspended state. B wouldnt apply here because only the active unit does Link and Path Monitoring.
So ACE.
ACE, based on shared KBs from other members here
a-. Check the HA Link Monitoring interface cables
c-. Check the High Availability > Link and Path Monitoring setting
e-. As per KB, it mention flaps, Command found is correct (Not in KB) show high-availability flap-statistics
b- not correct, this is correct path: Device> High Availability> General> Active/Passive Settings> Passive Link State>
>> Flood Protection / SYN-Actions
d- N/A for active/active FWs setup - Device > High Availability > Active/Active Config
This section is not available anymore. Please use the main Exam Page.PCNSE Exam Questions
Log in to ExamTopics
Sign in:
Community vote distribution
A (35%)
C (25%)
B (20%)
Other
Most Voted
A voting comment increases the vote count for the chosen answer by one.
Upvoting a comment with a selected answer will also increase the vote count towards that answer by one.
So if you see a comment that you already agree with, you can upvote it instead of posting a new comment.
Knowledge33
Highly Voted 1 year, 5 months agosov4
1 year, 4 months agoArtbrut
1 year, 2 months agom70855712
Most Recent 3 months ago0d2fdfa
6 months, 1 week agoThunnu
8 months, 1 week agoPacheco
9 months, 3 weeks agoevilCorpBot7494
10 months, 1 week agoJRKhan
10 months, 2 weeks agoMetgatz
11 months, 2 weeks ago34f7d3a
11 months, 2 weeks agohomersimpson
11 months, 2 weeks agoPacheco
9 months, 3 weeks agoMerlin0o
1 year, 3 months agosov4
1 year, 4 months agosov4
1 year, 4 months agoBetty2022
1 year, 4 months agoPochex
1 year, 5 months agopkevinkou
1 year, 7 months agoPnosuke
1 year, 7 months agoFrightened_Acrobat
1 year, 8 months ago