topic SIP/RTP Traffic Issues in Palo Alto Active-Active vWire Setup Causing MAC Flapping In L3 devices in Next-Generation Firewall Discussions https://live.paloaltonetworks.com/t5/next-generation-firewall/sip-rtp-traffic-issues-in-palo-alto-active-active-vwire-setup/m-p/650846#M5067 <P><SPAN>In a Palo Alto Active-Active vWire setup, traffic entering a port on Device A is not supposed to egress from any port on Device B. The HA3 link is typically used to forward packets from the active-secondary device to the active-primary device for processing and evaluation against security policies. However, in your setup, you are observing that traffic—especially SIP and RTP traffic related to phone connectivity between clients and servers—sometimes enters the primary-active firewall, traverses the HA3 link, and then egresses from the secondary-active firewall. This behavior is causing MAC address flapping on the Layer 3 device connected to both firewalls.</SPAN></P><P>&nbsp;</P><P><SPAN>To temporarily resolve this issue, I have to manually clear the inbound and outbound phone sessions from the secondary firewall.</SPAN></P><P>&nbsp;</P><P><SPAN>Can some help me to understand where this issue might be.&nbsp;<BR /></SPAN></P><P>&nbsp;</P> Sat, 23 Nov 2024 16:02:14 GMT anthony.fernando83 2024-11-23T16:02:14Z SIP/RTP Traffic Issues in Palo Alto Active-Active vWire Setup Causing MAC Flapping In L3 devices https://live.paloaltonetworks.com/t5/next-generation-firewall/sip-rtp-traffic-issues-in-palo-alto-active-active-vwire-setup/m-p/650846#M5067 <P><SPAN>In a Palo Alto Active-Active vWire setup, traffic entering a port on Device A is not supposed to egress from any port on Device B. The HA3 link is typically used to forward packets from the active-secondary device to the active-primary device for processing and evaluation against security policies. However, in your setup, you are observing that traffic—especially SIP and RTP traffic related to phone connectivity between clients and servers—sometimes enters the primary-active firewall, traverses the HA3 link, and then egresses from the secondary-active firewall. This behavior is causing MAC address flapping on the Layer 3 device connected to both firewalls.</SPAN></P><P>&nbsp;</P><P><SPAN>To temporarily resolve this issue, I have to manually clear the inbound and outbound phone sessions from the secondary firewall.</SPAN></P><P>&nbsp;</P><P><SPAN>Can some help me to understand where this issue might be.&nbsp;<BR /></SPAN></P><P>&nbsp;</P> Sat, 23 Nov 2024 16:02:14 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/sip-rtp-traffic-issues-in-palo-alto-active-active-vwire-setup/m-p/650846#M5067 anthony.fernando83 2024-11-23T16:02:14Z