topic Re: PAN in Layer 2 mode and Microsoft NLB in General Topics

PAN in Layer 2 mode and Microsoft NLB

mkopcic — Thu, 02 Feb 2012 13:40:45 GMT

Hi!

Customer configured Palo firewall to work in Layer 2 mode to protect VLAN. In that VLAN there are two servers in MS NLB configuration. In VLAN configuration in Palo, static MAC entry is configured for virtual MAC address, but that entry isn't displayed with show mac command. See attached picture and listing:

mkopcic@PA-4020> show mac Bridge_4-440 | match 02:bf:0a:0b:08:f8

mkopcic@PA-4020>

Application (HTTP portal) works if real IP adresses are used, but if virtual IP adress is used, application is unreachable. Ping to virutal IP address is working. On Palo I captured dropped packets and saw that Palo is dropping traffic to NLB virtual address. See attached file.

Does anyone have idea why Palo is dropping traffic?

Best regards,

Maja

Re: PAN in Layer 2 mode and Microsoft NLB

mkopcic — Thu, 02 Feb 2012 14:26:49 GMT

Traffic blocked on Palo looks like that:

Source IPx, MACx -> Dest: IP virtual, MAC virtual SYN

Source: IP virtual, MAC real -> Dest: IPx, MACx SYN ACK

Does Palo drop session because is getting response from different MAC address?

And why NLB works ok on virtual-wire configurations???

Thank you and regards,

Maja

Re: PAN in Layer 2 mode and Microsoft NLB

bvandivier — Sat, 18 Feb 2012 20:55:24 GMT

Maja, I recommend opening a case with Support for further analysis of your issue.

Re: PAN in Layer 2 mode and Microsoft NLB

Retired Member — Thu, 16 Oct 2014 07:16:21 GMT

anyone has a solution for that

Re: PAN in Layer 2 mode and Microsoft NLB

ajbool — Thu, 16 Oct 2014 07:29:28 GMT

We don't use our Palo Altos in L2 mode; but in L3 mode we need to place a static ARP entry mapping the NLB IP address through to the NLB MAC address on the firewalls.

This obviously isn't going to apply to an L2 firewall - but do you have a static ARP entry defined on whichever L3 router/devices that are on the same subnet as the NLB address and communicating with it?