topic Re: HA Active Active Asynchronous Routing Issue in General Topics

HA Active Active Asynchronous Routing Issue

david13holt — Sat, 10 Jun 2017 07:10:58 GMT

Have two PA vm 1000hv setup in active active HA. They see each other on HA 1,2, and 3 link and synching configs (not vr configs). We have an asynchronous routing scenario that is temporary for now, but need it to work. However, the FWs appear to be dropping traffic. I haven't looked at the counters to indicate dropped asynchronous traffic yet, but it's obvious that it's happening as when we stop the loop on routing, we can hit hosts. Anyway, I was wondering if there were known issues with Active Active HA with this type of behavior? Thanks

Re: HA Active Active Asynchronous Routing Issue

pulukas — Sat, 10 Jun 2017 11:03:16 GMT

With A/A you can have assymetrical flows. But they do need to maintain the zone relationship that match the session for the flow. So make sure the policy that permits the traffic has the zone to zone setup needed for the communication across the two devices.

Easiest way to troubleshoot this kind of flow is to do the trace route from both devices and then map the interfaces hit by the packets in the flow on the two PA devices. Then lookup the zone assignments and confirm the policy is in place in the correct direction by initiator of the traffic.

Re: HA Active Active Asynchronous Routing Issue

david13holt — Sun, 11 Jun 2017 02:05:44 GMT

Thanks for the response.

We have all interfaces in the same zone and have a policy to permit any any (testing right now). I did move interfaces around in different zones, making sure both FW's matched. We still had the same results.

Doing a show counters global, I didn't see any hits on the stat: flow_tcp_non_syn_drop. Reading up, and appears that would be an indication of the FWs dropping traffic due to asynchronous routing. However, I did notice these two stats get hit constantly (only traffic going through these guys is protocol traffic (BGP) and pings:

flow_rcv_dot1q_tag_err
flow_no_interface

Been playing aroudnd with subinterfaces and what not, and still no go. Everything works as is, but when I introduce asynchronous routing, routes to an opposing side break.

Re: HA Active Active Asynchronous Routing Issue

pulukas — Sun, 11 Jun 2017 23:21:03 GMT

Are you certain that both directions of the flow cross the A/A firewall pair?

Based on your description, there should be no asymmetrical flow drops on the firewall. Unless there is a path that can bypass BOTH firewalls in the commuications flow in question.