Active/Active Floating IP/Traffic Forwarding Problem

dshue — Wed, 26 Mar 2014 15:38:03 GMT

Hello All,

I have a support case open with PAN but I thought I would query others smarter than I.

2 x PAN-2020
Recently enabled HA Active/Active
BGP on External/Currently ONLY Static Inside to Active-Primary device (0.0.0.0/0 -> Active Primary)
Session Owner = First Packet (only going to be Active-Primary right now do you static route)
Session Setup = IP-modulo
Floating IP - x.x.x.128 -> active-secondary preferred
Floating IP - x.x.x.129 -> active-primary preferred
2 x GlobalProtect Portals - each using respective Floating IPs

I first noticed an issue when configuring an SSL-portal using a Floating IP. It seems as though only the session owner can communicate with it's preferred floating IP.

Example 1:

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.129 = WORKS!

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.128 = FAIL

Example 2:

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.129 = FAIL

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.128 = WORKS!

From these examples, only the session owner can communicate with its respective floating IP. I have also seen where IPSec tunnels that terminated to ONLY the Active-Primary are having intermittent issues with communicating with internal hosts. All outbound and inbound NAT'd traffic seems to be doing wonderfully, just sessions that terminate to the firewalls themselves seem to be having issues.

I have a drawing that I can share if anyone shows interest in helping me troubleshoot. I'm at a loss and been at if for 4 days.

TIA!

Re: Active/Active Floating IP/Traffic Forwarding Problem

dshue — Mon, 07 Apr 2014 20:30:41 GMT

Gonna answer this one myself. After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding. It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac. In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater. I was wanting to use the Floating IP as a signal point of entry for S2S VPNs. Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device. But I'm still having IPSec VPN problems, but that's another post. Hope this helps someone.

topic Re: Active/Active Floating IP/Traffic Forwarding Problem in General Topics

Active/Active Floating IP/Traffic Forwarding Problem

Re: Active/Active Floating IP/Traffic Forwarding Problem