topic Re: HA for interface pair as a DHCP client in General Topics

HA for interface pair as a DHCP client

aarato — Sat, 17 Nov 2018 22:59:13 GMT

I have a pair of VM-50 as an HA pair. When the primary firewall fails the IP is moved to the new active node but the MAC address changes and the ISP cable modem most likely does not accept this. The only resolution is to release and renew the DHCP address which is obvisouly not a workable solution for an automatic failover.

Any ideas?

Re: HA for interface pair as a DHCP client

Raido_Rattameister — Sat, 17 Nov 2018 23:18:58 GMT

When you add firewalls to HA then mac address is generated based on group id in HA settings.

So both IP and mac are moved over between firewalls in HA.

Re: HA for interface pair as a DHCP client

aarato — Sun, 18 Nov 2018 04:21:23 GMT

Thanks for the response. The Mac Address is not migrating over when there is a failover. See below. This is in an ESXi environment.

Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:0c:29:34:b8:61 <<<<<<<<< Before failover
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32

admin@PA1(active)> request high-availability state suspend

Successfully changed HA state to suspended
admin@PA1(suspended)>

admin@PA1(suspended)> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:0c:29:34:b8:61
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32 <<<<<<<<< After failover
Interface management profile: PING
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: no
Service configured:
Zone: Untrust, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
admin@PA1(suspended)> request high-availability state functional

Successfully changed HA state to functional
admin@PA1(initial)>

Here is the other vm which become ative with its own vmware MAC

admin@PA-VM(active)> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:50:56:92:19:11 <<<<<<< OTHER SIDE MAC
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32 <<<<<<< OTHER side Has the same IP
Interface management profile: PING
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: no
Service configured:
Zone: Untrust, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
admin@PA-VM(active)>

Re: HA for interface pair as a DHCP client

Raido_Rattameister — Sun, 18 Nov 2018 05:05:40 GMT

One option would be to disable "Use Hypervisor Assigned MAC Address".

After that try if you can manually assign same HA generated mac address that floats then between firewalls to both virtual machine nic cards in VMware or other option is to turn WAN virtual switch into promiscuos mode.

Issue with promiscuos mode is that switch starts acting as hub and every vnic connected to that virtual switch will receive every single packet.

Would not be an problem if you only have ISP and 2 Palo WAN interfaces there.

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/about-the-vm-series-firewall/hypervisor-assigned-mac-addresses