topic Re: Same Mac address shared by two paloalto firewalls in General Topics

Same Mac address shared by two paloalto firewalls

DCN — Fri, 13 Sep 2013 16:32:31 GMT

Hi,

I have seen strange behaviour between two palo alto firewalls.

I have pair of PA-3020 and Pair of PA-500 in Active/standby scenario. They serve two different networks but to provide interconnect between two networks they (Eth 1/3) are connected to Cisco Nexus switch via FEX (VLAN 129). Has anyone seen a case where two different models of the firewall connected via same vlan share same mac address?

admin@CFWL02(active)> show arp all

interface ip address hw address port status ttl

--------------------------------------------------------------------------------

ethernet1/3.129 10.224.63.33 00:1b:17:00:01:12 ethernet1/3 c 1487

admin@MFWL02(active)> show arp all

interface ip address hw address port status ttl

--------------------------------------------------------------------------------

ethernet1/3.129 10.224.63.36 00:1b:17:00:01:12 ethernet1/3 c 1627

L2S01# sh mac address-table vl 129

Legend:

* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

age - seconds since last seen,+ - primary entry using vPC Peer-Link

VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

+ 129 001b.1700.0112 dynamic 0 F F Po1000

L2S01# sh mac address-table vl 129

Legend:

* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

age - seconds since last seen,+ - primary entry using vPC Peer-Link

VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

* 129 001b.1700.0112 dynamic 10 F F Eth122/1/47

I will appreciate your help if you advise me.

Thanks

Re: Same Mac address shared by two paloalto firewalls

HULK — Fri, 13 Sep 2013 16:46:48 GMT

Hello good morning,

As you mentioned before, both pairs are part of high-availability. Could you please confirm if HA "group ID" also same in both HA environments. If "group-ID" is same for both pairs, there there is s possibility to have an identical virtual MAC.

How to Calculate a Virtual MAC Address

It is recommended to have different "group-ID" inside a same network for different HA pair, in order to avoid packet loss.

Hope this helps.

Thanks

Re: Same Mac address shared by two paloalto firewalls

HULK — Fri, 13 Sep 2013 17:09:12 GMT

In this case, you have set Group-ID =1 for both HA pairs.

00:1b:17:00:01:12 ethernet1/3

Re: Same Mac address shared by two paloalto firewalls

DCN — Tue, 17 Sep 2013 13:29:55 GMT

Spot on !!!! Thanks for your help.

Re: Same Mac address shared by two paloalto firewalls

ksalustro — Fri, 31 May 2024 13:07:25 GMT

Fyi the link has moved, here is the one that works now in 2024:

How to Calculate a Virtual MAC Address - Knowledge Base - Palo Alto Networks