https://live.paloaltonetworks.com/t5/general-topics/active-active-vip-ping-inconsistent/m-p/518551#M107576 <P>Hello All,</P> <P>i have 2 Firewalls configured in HA Active Active.</P> <P>I have a L3 sub interface created on each firewall and a vitual address configured as IP-Modulo arp-load-sharing.</P> <P>&nbsp;</P> <P>ex:</P> <P>FW1 (primary): 192.168.0.2/24</P> <P>FW2 (secondary): 192.168.0.3/24</P> <P>Virtual IP (ip modulo): 192.168.0.1/24</P> <P>zone: trust</P> <P>&nbsp;</P> <P>a management profile is configured on both FW1 and FW2 to allow ping on the interfaces.</P> <P>&nbsp;</P> <P>clients on the LAN (192.168.0.10/24) can ping all 3 IP addresses.</P> <P>clients on another zone of the firewall can ping FW2 192.168.0.3 (secondary) and are unable to ping FW1 (primary) 192.168.0.2 or the VIP 192.168.0.1.</P> <P>clients on another zone can also ping devices on the LAN without issues. ex: ping 192.168.0.10/24</P> <P>&nbsp;</P> <P>my question, why can't i ping the VIP 192.168.0.1 from the DMZ zone. shouldn't the VIP be accessible on both Active and Secondary firewalls.</P> Thu, 20 Oct 2022 18:55:09 GMT Ricky_Levesque 2022-10-20T18:55:09Z https://live.paloaltonetworks.com/t5/general-topics/active-active-vip-ping-inconsistent/m-p/518551#M107576 <P>Hello All,</P> <P>i have 2 Firewalls configured in HA Active Active.</P> <P>I have a L3 sub interface created on each firewall and a vitual address configured as IP-Modulo arp-load-sharing.</P> <P>&nbsp;</P> <P>ex:</P> <P>FW1 (primary): 192.168.0.2/24</P> <P>FW2 (secondary): 192.168.0.3/24</P> <P>Virtual IP (ip modulo): 192.168.0.1/24</P> <P>zone: trust</P> <P>&nbsp;</P> <P>a management profile is configured on both FW1 and FW2 to allow ping on the interfaces.</P> <P>&nbsp;</P> <P>clients on the LAN (192.168.0.10/24) can ping all 3 IP addresses.</P> <P>clients on another zone of the firewall can ping FW2 192.168.0.3 (secondary) and are unable to ping FW1 (primary) 192.168.0.2 or the VIP 192.168.0.1.</P> <P>clients on another zone can also ping devices on the LAN without issues. ex: ping 192.168.0.10/24</P> <P>&nbsp;</P> <P>my question, why can't i ping the VIP 192.168.0.1 from the DMZ zone. shouldn't the VIP be accessible on both Active and Secondary firewalls.</P> Thu, 20 Oct 2022 18:55:09 GMT https://live.paloaltonetworks.com/t5/general-topics/active-active-vip-ping-inconsistent/m-p/518551#M107576 Ricky_Levesque 2022-10-20T18:55:09Z https://live.paloaltonetworks.com/t5/general-topics/active-active-vip-ping-inconsistent/m-p/520798#M107956 <P>ARP can be a tricky creature if your network devices don't want to play along</P> <P>your switch (or router) may be 'locking' the virtual IP/MAC of the firewall on one port, or the IP to one MAC, causing this behavior</P> <P>are you able to verify this? (you should be able to packetcapture ARP at the router to see if you're getting onl;y one reply, and looking at the MAC table for the switch to see if it's associating the IP to just one port or something)</P> Wed, 09 Nov 2022 14:29:23 GMT https://live.paloaltonetworks.com/t5/general-topics/active-active-vip-ping-inconsistent/m-p/520798#M107956 reaper 2022-11-09T14:29:23Z