topic Re: HA path monitoring in virtual wire in General Topics

HA path monitoring in virtual wire

gmparis — Sun, 07 Apr 2013 23:05:32 GMT

I've seen a couple answers here about using Path Monitoring in Virtual Wire. They say that one must use an IP address within the Virtual Wire subnet as the source address. OK, I get that. What I don't get is how to configure such an address. I don't see a way to add an address to a vwire interface. I've tried creating a loopback with no good result. Also gave vlan a shot, but that didn't look promising either. Thanks for any help.

Re: HA path monitoring in virtual wire

Sly_Cooper — Mon, 08 Apr 2013 08:37:42 GMT

Device -> High Availability -> Path Monitoring -> Path Group -> Add Virtual Wire has the option to add Source and Destination address. I am also working on similar monitoring where I would like to monitor device beyond connected device. I am still not sure how the routing would though. I have a case open with support with not much progress.

Re: HA path monitoring in virtual wire

UhMayYeah — Mon, 08 Apr 2013 11:27:44 GMT

How about configuring a L3 interface on PA and connecting it to the network providing a reachability to the Monitored Dest.

vwaghmar :

Excerpt from Admin guide : 5.0

Source IP—For virtual wire and VLAN interfaces, enter the source IP address used in the probe packets sent to the next-hop router (Destination IP address). The local router must be able to route the address to the firewall. The source IP address for path groups associated with virtual routers will be automatically configured as the interface IP address that is indicated in the route table as the egress interface for the specified destination IP address.

Re: HA path monitoring in virtual wire

Sly_Cooper — Mon, 08 Apr 2013 11:49:14 GMT

: L3 interface configuration is what suggested by our SE. The support talked about having src and dst ip in the subnet. That doesn't make any sense when you want to monitor devices beyond connected one. Have you tried this by yourself? Unfortunately I don't have an environment to play with and before touching the production devices, I wanted to make sure that I can plan ready for configuration and testing. I am running 4.x code. Do I need to have a combination of virtual wire and virtual router in the path monitoring config? Can you provide me more details?

Here is what my scenario is (apologies @gmparis for hijacking thread). Internet -> Internet router -> public switch -> Untrust firewall -> Untrust PAN -> Trust PAN -> DMZ switch. I can monitor dmz switch and trust interface of firewall using link monitoring and is working fine. I want to monitor the untrust firewall to pub switch connectivity. Here is what I understood.

- Connect new interface on PAN to dmz switch

- Configure L3 interface with trust side subnet of firewall

- Configure path monitoring with newly added interface? How do I add destination ip? I dont see any option to use single interface under path monitoring.

Re: HA path monitoring in virtual wire

gmparis — Mon, 08 Apr 2013 12:46:46 GMT

No problem about the hijacking, @vwaghmar. Thanks for answering my question. I was trying to test the path monitoring using ping before configuring it into HA. That apparently can't be made to work, but isn't necessary. Just putting the source address into the vwire path monitoring config is all that's needed. I was making it harder than it had to be.

Good luck with your layer-3 issue.

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 09 Apr 2013 13:04:44 GMT

- Glad to know that it helped. I hope I will get answer for my questio as well. I am waiting for suggestions from for my testing. Till then I would continue to use your thread

Re: HA path monitoring in virtual wire

pkonitz — Tue, 16 Apr 2013 09:03:42 GMT

Hi all

I'll join this thread cause this is exactly what I'm looking for.

I need to monitor HSRP address of routers because If outside interface goes down on cisco ASA, ASAs will switchover and PANs not.

Do I realy need to create seperate L3 interface just for this purpose? If yes I think that it will be easier to create L3 interfaces on PAN.

regards

Przemek

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 16 Apr 2013 10:46:10 GMT

- Looks like we are in the same boat. The ASA failover does not trigger PA failover. Creating a separate L3 interface for monitoring is what suggested by our SE. Here is what I had tried over the last weekend but did not get satisfactory results due to ASA issues in our environment.

- Connect an interface from PAN to LAN switch

- Configure interface in L3 mode. I am assuming that PAN trust/inside is connected to a L3 switch having default gateway as ASA

- Configure new zone

- Configure new virtual router. I preferred to create new as the purpose was to use it purely for HA path monitoring. My PAN anyways configured in vWire mode

- Ping destination using src ping on PAN. Please note that somehow I was not able to ping ASA untrust from inside/trust. I am not sure if that is the feature in ASA but I did not have time to work on it. If you know how then please let me know. ASA egress IP is reachable from public

- Configure path monitoring with type as "virtual router". Configure destination address and select the virtual router with proper routing

- Check path monitoring status from cli # show high-availability path-monitoring

pan(active)> show high-availability path-monitoring

--------------------------------------------------------------------------------

total paths monitored : 1

interval to send ICMP probe packets : 200 ms

last N probes to determine path availability : 10

hold time to send probe packets : 60000 ms

(after device becomes active)

--------------------------------------------------------------------------------

name/type destination succ/total rtt min/max/avg (ms)

--------------------------------------------------------------------------------

ha-monitor-vrouter/virtual-router <destination ip> 10/10 0.80/1.04/0.88

--------------------------------------------------------------------------------

My failover scenario worked fine after shutting down the ASA untrust link. I however had issues later when Active PAN become Primary again. I will be trying the same thing with Juniper firewalls again over coming weekend. If you manage to test in the meanwhile then please share the results.

Re: HA path monitoring in virtual wire

pkonitz — Tue, 16 Apr 2013 11:19:27 GMT

thx vwaghmar for your answer.

as I remember you can't ping outside interface of ASA from inside so don't bother. Maybe if you change "management-interface" for outside (which is not recomended) but it is not easily done casue managemnt-interface can't be the one with the lowest "security-level".

Unfortunately I dont have 2 ASAs in my lab to test all interesting parts.

My first question is whether PAN tranfers traffic in vwire when it is in passive mode? It is fundamental question cause
If the answer is yes then it is no use of creating L3 interface for path monitoring cause its default gateway (L3 switch or inside interface of ASA) is always available regardless which ASA is acitve or standby.

When ASAs do switchover the secondary one starts using the IP address of the previous primary one (which is default gateway for internal networks and L3 interface of PAN).

OK I've found the info that traffic handling links on the passive device are in "down" state. Of course it wouldn't make sanse the other way but I had to ask

As I said I can't test it in a full environment but I have to do it in production GREAT is it not?

What about your case you've mentioned earlier? is it closed with the solution presented? or still have hope for some trick? idea?

regards

Przemek

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 16 Apr 2013 11:35:21 GMT

- Anyways we are getting rid of ASA with PAN so I am not bothered any more . I wanted to simulate it for other environment.

Passive PAN in vwire mode will have all its interfaces shut/down. Are you seeing the interfaces UP? Also the traffic will eventually flow from the vwire to reach ASA or gateway so the path monitor will have no data on the passive PAN. Check the output below from passive PAN. There is a possibility that the active PAN will be able to reach the destination ip from the standby ASA (when Active). I did not get time to check about it. I will check with our SE.

pan(passive)> show high-availability path-monitoring

--------------------------------------------------------------------------------

path monitoring statistics unavailable due to inactive device state

total paths monitored : 1

interval to send ICMP probe packets : 200 ms

last N probes to determine path availability : 10

hold time to send probe packets : 60000 ms

(after device becomes active)

--------------------------------------------------------------------------------

name/type destination succ/total rtt min/max/avg (ms)

--------------------------------------------------------------------------------

ha-monitor-vrouter/virtual-router <dst monitored ip> N/A N/A

-------------------------------------------------------------------------------

I tested it in production as well as I have running setup with this limitation :smileygrin:. I am going to try next with Juniper firewall which has the option to assign separate management ip address apart from the floating one to an interface.

As per support, it is not possible to monitor destination which is one hop away/routed. The L3 interface on PAN will have to be in the same subnet as dst address.

Re: HA path monitoring in virtual wire

pkonitz — Tue, 16 Apr 2013 12:11:10 GMT

This is my first experience with PAN so sorry for silly questions

I see the interfaces Down on passive generaly becasue they are not connected to standby ASA (I don't have 2nd one in my lab )

However I've just seen there is an option for default bahaviour.

I didn't get the thing about support.

"L3 interface must be on the same subnet as dst address?"

According to docs (at least for 5.0) it can be done.

You also wrote:

I however had issues later when Active PAN become Primary again

What kind of issues? Did you enable Preemptive option? I think It should be disabled in this scenario as PAN need to follow ASAs.

For now I think I will need to redesign everything and make PAN in L3 mode cause I even have problems with creating vwire subinterfaces and putting them in deferent zones.

https://live.paloaltonetworks.com/thread/7403

Sorry for changing the subject. Do you have similar environment?

regards

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 16 Apr 2013 12:49:24 GMT

As far as I know or seen, PAN in vWire HA deployment will have ports shut on Passive device. I think I had checked/tried that initially and had same results. May be it is something different for L3 mode. My environment is vWire mode only.

I didn't get the thing about support.

"L3 interface must be on the same subnet as dst address?"

Honestly it does not make any sense to me as well as path monitoring is supposed to check path IMO. As per the support the src ip (L3 on PAN) should be part of destination subnet. May be it is limitation for vWire based deployment The option suggested was to connect a cable from PAN to the remote subnet and then configure monitoring of destination IP.

What kind of issues? Did you enable Preemptive option? I think It should be disabled in this scenario as PAN need to follow ASAs.

We had issues with managing secondary ASA after failover. Hence could not check the status on secondary ASA. After a while, the Active PAN was primary. I suspect that is due to the reason that the destination ip was reachable via Standby ASA (when Active). Yes I have preemptive option enabled. That is a good option to check for. Anyways I plan on checking the untrust IP availability and my affected environment has Juniper. I will configure the destination ip separate on PAN which will be the manage-ip of untrust interface (not floating). The aim is to failover PAN if the untrust link to connected switch dies.

I am running 4.x so cant comment about 5.x stuff.

I would love to have L3 environment but redesign is not an option for me considering config on the existing firewalls and criticality of the environment. I am however moving to L3 on PAN in some environment. ASA and PAN back to back becomes redundant. In my environment we are doing lot of stuff on PAN than ASA so we will be replacing ASA.

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 16 Apr 2013 13:02:32 GMT

I just checked release notes of 5.0.4 and can see the enhancement in HA options.

• Passive Device Link State Control

–

This enhancement improves failover times in Active/Passive deployments that make use of L2 or virtual wire interfaces by keeping the physical interface link state on the passive device in the link

up state. This feature already exists for L3 interfaces.

Re: HA path monitoring in virtual wire

pkonitz — Tue, 16 Apr 2013 13:23:15 GMT

I think this was your issue - I mean PREEMPTIVE option. As I remember ASA in active/standby mode doesn't behave in a preemptive manner (it can but as I remember only in multicontext mode). So after a while passive PAN regain its connectivity with path monitoring through currently active ASA so it switches again. What is your case?

I've just tried this "Passive Device Link State Control" and I changed it to "auto" as picture presented earlier. However this does not mean that ASA hearbeats can keep going !!! Its true that link is green but thats all. So no connectivity to the secondary ASA will be allowed when the PAN box is passive. This make sense in order to avoid the situation when we could evade the active box and its inspection, but it is pain in the a... when sth behind it needs to send its heartbeats

regards

Re: HA path monitoring in virtual wire

Sly_Cooper — Tue, 16 Apr 2013 14:55:43 GMT

pkonitz

BTW - Check the release notes of 5.0.4. You can create sub-interfaces in vWire mode. I think this is what you are looking for???

Virtual Wire Subinterface

–

You can now create virtual wire subinterfaces in order to

classify traffic into different zones and virtual systems. You can classify traffic according to the VLAN tag, or VLAN tag plus IP address (IP address, IP range, or subnet).

Re: HA path monitoring in virtual wire

pkonitz — Wed, 17 Apr 2013 06:38:00 GMT

As I described in this post

https://live.paloaltonetworks.com/thread/7403

I've got this release installed, got subinterfaces configured and assigned them to different zones but traffic doesn't flow if the main intarface isn't assigned to zone as well. When it is, subinterfaces inherits this assignment form main interface and even though they're in different one I see in logs that traffic comes from the main zone. So I cant make a different policies per subinterfaces.

Thanks for sharing your experience

I think we should end this topic cause gmparis will be angry for all the notification he receives

regards
Przemek

Re: HA path monitoring in virtual wire

Sly_Cooper — Wed, 17 Apr 2013 08:24:54 GMT

I had asked permission from to use his thread so I hope he wont mind . Anyways I have submitted the change request to get the new config tested. If get approvals then I will get the config tested over the weekend. I will let you know the outcome.

Re: HA path monitoring in virtual wire

Sly_Cooper — Mon, 22 Apr 2013 09:42:51 GMT

- FYI

I successfully tested the new configuration and managed to configure path monitoring using additional link (L3) on PAN.

- Connected additional interface from PAN to the internal switch

- Configured L3 interface as part of the internal switch

- Configured new zone and virtual router

- Configured new L3 interface as part of new zone and virtual router. This is mainly to keep the ha monitor link separate. I called it ha-monitor

- Configured Juniper firewalls with separate manage-ip for the untrust interface

- Configure Path Monitoring -> Virtual Router and monitored destination as the untrust manage-ip of the firewall

- Each PAN was configured to poll different manage-ip of the connected Juniper firewalls

- Removed "Preempt" from HA (Thank you very much for the suggestion)

Failover and failback worked fine as expected and was tested by shutting down the firewall untrust port connected to the external switch. The separate manage-ip on Juniper firewalls and removing preempt made it work. Now I have link monitoring and path monitoring configured for our environment.

Re: HA path monitoring in virtual wire

NGS_SOC — Mon, 22 Apr 2013 09:51:24 GMT

Hi, I've an installation similar to your scheme and I uses PA-3020 under ASAs in A/A with 4 vwire. Active Active configuration and full state sync allow you to forget witch ASA is active passing traffic.

Re: HA path monitoring in virtual wire

pkonitz — Mon, 22 Apr 2013 10:08:39 GMT

hi,

thx for update

nice to hear it worked.

I decided to go to L2 deployment cause in Wwire mode passive unit doesn't pass traffic at all so in my case (cisco ASA) hello packets did not flow so failover on ASA was a bit problematic. However L2 with vlan retagging works as charm, what is more, when ASAs switchover it does't trigger PAN to failover so I see additional benefit in it

As NGS said active/active probably would solve all our issues but this is thing I want to avaid cause guys from PaloAlto suggested not going into A/A

regards