https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/69839#M40411 <P>Hi All,</P> <P>&nbsp;</P> <P>We have the setup as shown below,</P> <P>In this scenario, &nbsp;<STRONG>Layer 2 switch (2960)</STRONG> showing the<STRONG> MAC address</STRONG> of the <STRONG>Exchange server</STRONG> learnt through the interface of the switch <STRONG>Gi 0/1</STRONG> which connects to the PAN firewall in V-wire mode to an ASA .</P> <P>We connected <STRONG>PA</STRONG> direclty to Core switch and made a static entry in switch for MAC address entry the port where <STRONG>exchange server</STRONG> is connected. Now it is working.</P> <P>&nbsp;</P> <P>But we need permanent fix and the reason why PaloAlto id doing this? <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; we have more info after the below snap</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">&nbsp;</SPAN></P> <P>&nbsp;<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1741i24D0E657DD5AB956/image-size/original?v=mpbl-1&amp;px=-1" alt="100.PNG" title="100.PNG" border="0" /></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;"> troubleshoot an issue seen with connectivity to Exchange server cluster IP 172.16.12.190 from any of the remote locations and when the issue occurred, we could notice that the Layer 2 switch showing the MAC of the end host learnt through the interface of the switch Gi 0/1 which connects to the PAN firewall in V-wire mode to an ASA. Though the traffic path for reaching this server does not involve the PAN V-Wire, when the issue occurred, the flow shows at the receive stage in PAN packet capture and traffic logs. The issue is not seen when PAN V-wire is removed from the connectivity.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">Thank you,</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">Guru</SPAN></P> Thu, 24 Dec 2015 06:56:32 GMT Gururaj 2015-12-24T06:56:32Z https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/69839#M40411 <P>Hi All,</P> <P>&nbsp;</P> <P>We have the setup as shown below,</P> <P>In this scenario, &nbsp;<STRONG>Layer 2 switch (2960)</STRONG> showing the<STRONG> MAC address</STRONG> of the <STRONG>Exchange server</STRONG> learnt through the interface of the switch <STRONG>Gi 0/1</STRONG> which connects to the PAN firewall in V-wire mode to an ASA .</P> <P>We connected <STRONG>PA</STRONG> direclty to Core switch and made a static entry in switch for MAC address entry the port where <STRONG>exchange server</STRONG> is connected. Now it is working.</P> <P>&nbsp;</P> <P>But we need permanent fix and the reason why PaloAlto id doing this? <span class="lia-unicode-emoji" title=":disappointed_face:">😞</span>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; we have more info after the below snap</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">&nbsp;</SPAN></P> <P>&nbsp;<IMG src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/1741i24D0E657DD5AB956/image-size/original?v=mpbl-1&amp;px=-1" alt="100.PNG" title="100.PNG" border="0" /></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;"> troubleshoot an issue seen with connectivity to Exchange server cluster IP 172.16.12.190 from any of the remote locations and when the issue occurred, we could notice that the Layer 2 switch showing the MAC of the end host learnt through the interface of the switch Gi 0/1 which connects to the PAN firewall in V-wire mode to an ASA. Though the traffic path for reaching this server does not involve the PAN V-Wire, when the issue occurred, the flow shows at the receive stage in PAN packet capture and traffic logs. The issue is not seen when PAN V-wire is removed from the connectivity.&nbsp;</SPAN></P> <P>&nbsp;</P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">Thank you,</SPAN></P> <P><SPAN style="font-size: 11.0pt; font-family: 'Calibri',sans-serif; color: #1f497d;">Guru</SPAN></P> Thu, 24 Dec 2015 06:56:32 GMT https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/69839#M40411 Gururaj 2015-12-24T06:56:32Z https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/69851#M40414 <P>Are you sure that traffic is not passing through the PA firewall? Remove the static mac entry and do a traceroute check. The traffic from the exchange server is going to remote sites(left side)?</P> Thu, 24 Dec 2015 11:07:46 GMT https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/69851#M40414 pankaku 2015-12-24T11:07:46Z https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/70109#M40455 <P>This is extremely odd as we have tested this exact configuration without the issues you are having. A few questions:</P> <P>&nbsp;</P> <P>1) &nbsp;What version of PAN-OS are you running?</P> <P>2) &nbsp;Are there any NAT translations for the Exchange server configured in the ASA?</P> <P>3) &nbsp;Do you have any NAT rules for the Exchange server on the Palo Alto (asuming no as it's in VWire mode)</P> <P>4) &nbsp;Do you have any security policies configured on the Palo Alto</P> <P>&nbsp;</P> <P>I have seen some issues with 7.0.2 and 7.0.3 where if you have configured multiple Palo Alto virtual routers on the same vsys with ports connected to the same network (say Internet) advertise MAC addresses on the wrong interface (NAT), but this is all layer 3. &nbsp;I have never seen something like this in VWire.</P> <P>&nbsp;</P> <P>I would check your STP, make sure that your Core is setup as the root bridge, validate your VTP (if you use it), and check layer 2. &nbsp;I would also make sure your in VWire mode and not Layer 2 mode on the Palo Alto. &nbsp;As a test I would also allow all VLANS (0-4096) on the VWire.</P> <P>&nbsp;</P> <P>-Matt</P> Wed, 30 Dec 2015 14:56:40 GMT https://live.paloaltonetworks.com/t5/general-topics/duplicate-mac-address-in-layer-two-switch-when-paloalto/m-p/70109#M40455 mlinsemier 2015-12-30T14:56:40Z