https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156389#M51332 <P>This is a pretty common issue in an Active/Active configuration and there are a lot of potential problems that you could be hitting; this type of thing is why Active/Active configuration is really not advised unless you are doing a large amount of async routing.&nbsp;</P> Fri, 12 May 2017 13:19:17 GMT BPry 2017-05-12T13:19:17Z https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156294#M51305 <P>Hi</P><P>&nbsp;</P><P>&nbsp;</P><P>2 PA-3060's, setup in Active / active</P><P>I have a vlan 213 with 10.172.213.0/24 assigned to it</P><P>I have .2 and .3 assigned to the PA's and .1 assigned as a HA Virtual ip .</P><P>&nbsp;</P><P>I also have 3 virtual machines, app1 app2 app3.</P><P>&nbsp;</P><P>app1 and app3 can arp 10.172.213.1, app2 can't&nbsp;</P><P>&nbsp;</P><P>these vm's are on the same host, and a few hours ago app2 could arp .1 (DGW).</P><P>&nbsp;</P><P>last time I fixed it by rebooting both PA.</P><P>&nbsp;</P><P>also I have tried (and it worked), but shutting down the Active state of each PA one by one and letting things fail over .. so shutdown pa1 wait then turn on pa1 and turn off pa2 and wait and then turn on pa2.</P><P>&nbsp;</P><P>How can I diagnose this problem ??</P><P>What am I missing ?</P><P>&nbsp;</P><P>&nbsp;</P> Thu, 11 May 2017 21:08:10 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156294#M51305 Alex_Samad 2017-05-11T21:08:10Z https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156389#M51332 <P>This is a pretty common issue in an Active/Active configuration and there are a lot of potential problems that you could be hitting; this type of thing is why Active/Active configuration is really not advised unless you are doing a large amount of async routing.&nbsp;</P> Fri, 12 May 2017 13:19:17 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156389#M51332 BPry 2017-05-12T13:19:17Z https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156497#M51384 <P>Hi</P><P>&nbsp;</P><P>Okay, I can accept Active/Active is complicated. &nbsp;What I can't accept it that it just broken. if it work for big environments then it should work for all environments.</P><P>&nbsp;</P><P>Because this is a trial, I want to investigate what the issue is.</P><P>&nbsp;</P><P>I have done packet captures on both pa's and I can see the arp request is being dropped by both PA's ??? &nbsp;thats very strange</P><P>&nbsp;</P><P>If this is a common issue, then maybe the PA's are not for me. this seems like a fairly standard easy setup. My Aristra switches can do vrrp across 2 nodes for a distributed DGW.</P><P>&nbsp;</P><P>&nbsp;When I disable one pa1 from the active active setup it all works fine..</P> Fri, 12 May 2017 23:06:55 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/156497#M51384 Alex_Samad 2017-05-12T23:06:55Z https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/157110#M51561 <P>Its an interaction between OSPF and active active.</P><P>&nbsp;</P><P>The primary PA inserts a /32 into the routing table so it is the only device that responds to pings but OSPF takes that and redistributes it to the other PA, once that OSPF route is in the table it stops responding to arp’s !!!!</P><P>&nbsp;</P><P>Solution I have to filter out all the VIP address from &nbsp;OSPF</P><P>&nbsp;</P><P>&nbsp;</P><P>Interesting ....</P> Thu, 18 May 2017 06:31:40 GMT https://live.paloaltonetworks.com/t5/general-topics/arp-issue-with-pa-active-active/m-p/157110#M51561 Alex_Samad 2017-05-18T06:31:40Z