topic Re: Active/Passive vs. Active/Active in General Topics

Active/Passive vs. Active/Active

JayBlanchard — Tue, 24 Nov 2015 22:37:07 GMT

I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?

Re: Active/Passive vs. Active/Active

jvalentine — Tue, 24 Nov 2015 23:23:31 GMT

Unless you have asymmetric routes (where traffic leaves one firewall and the only way back is through a different firewall), then you should use Active/Passive HA. Active/Active was designed for networks with asymmetric routing. For all other cases, use Active/Passive.

Re: Active/Passive vs. Active/Active

pulukas — Tue, 24 Nov 2015 23:45:00 GMT

PAN does strongly prefer active/passive. But asymmetrical routing is not the only case where active/active is required.

Active/active is required is if your infratructure requires communication be permitted between devices connected to the secondary firewall at all times. With PAN Active/Passive the secondary (passive) node has interfaces connected, link is up but no traffic will pass until the device becomes active.

This is great for preventing layer 2 loops when the active and passive device are simply an alternate path for the same traffic.

But if you network design is fully active/active and therefore there is traffic such as bgp, vrrp, or other protocols that need to communicate on secondary links at all times, you must have the PAN cluster setup as active/active.

And if the network design is fully active/active where the traffic load is distributed across both paths, then active/active is also required.

Re: Active/Passive vs. Active/Active

jvalentine — Wed, 25 Nov 2015 00:20:22 GMT

Here's a link to the high-availability section of the PAN-OS documentation:

- https://www.paloaltonetworks.com/documentation/70/pan-os/pan-os/high-availability/ha-concepts.html#17894

From there you can read Palo Alto Networks' recommendations, along with links to design guides and tech notes relating to both methods of high availability.

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 19 Mar 2019 18:18:12 GMT

I am thinking of running active/active on a pair of 5250's in the network core due to the fact that southbound is a pair of core switches that are running alternating HSRP groups or even GLBP. If both firewalls are active then I can leverage ECMP from Core Switches to Core Firewalls. Anyone running Palo Altos in the core active/active?

Re: Active/Passive vs. Active/Active

MP18 — Wed, 20 Mar 2019 00:24:33 GMT

yes we are alto running active active in vwire mode.

Re: Active/Passive vs. Active/Active

jeremy.larsen — Fri, 22 Mar 2019 19:40:10 GMT

I have ran them active/active at the core. I scratched all Layer2 trickery (HSRP,VRRP,etc) and just incorporated them into my OSPF area. You have to think of them as 2 routers that just happen to shared a session table. You can then inject default 0.0.0.0/0 routes from both. It doesn't matter which default route is preferred in your route tables (and yes, ECMP works awesome). If PANa is the session owner but PANb receives the packet, it will forward the packet over to the session owner (HA3/HSCI). There is only one catch in this scenario. If one of the PANs fail, the failover is instantaneous. Problems can arrive when the failed member rejoins. If the OSPF/BGP,etc protocol come up before the firewalls are completely synced, you will get some drops. To fix this, you can manually or script the ports connected to the PANs to turn on only after a full sync has occurred. (This last part in thanks to my Panorama instructor)

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Mon, 25 Mar 2019 13:16:02 GMT

Were you using them as your core routing point for all your vlans? Or were you running a core pair of switches southbound and terminating SVIs there?

Re: Active/Passive vs. Active/Active

jeremy.larsen — Mon, 25 Mar 2019 16:17:29 GMT

I've done both. My preference is to run OSPF (or choose your dynamic routing protocol) to switches that support sub-interfaces (ie - most Junipers) thus severing any Layer 2 / bridge loop goofiness and shrinking your broadcast/failure domains. These sub-interfaces are then segmented by VRF/vRouter/(choose your terminology) which are then assigned to security zones on the PAN. Then, interVRF matches interZone and intraVRF matches intraZone. Anything traversing between VRFs must hit the PAN and be processed (ie - VRF Segmentation)

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 26 Mar 2019 15:16:31 GMT

Where are you running you vlan gateways?

Re: Active/Passive vs. Active/Active

jeremy.larsen — Tue, 26 Mar 2019 15:28:21 GMT

Gateways are pushed down by OSPF. You would most likely be pushing the local VLAN GW with DHCP. OSPF would take care of it from there. Does that make sense?

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 26 Mar 2019 15:39:49 GMT

So your SVIs run on layer 3 interfaces/sub-interfaces on the Palos. I would be running mine on a pair of Cat9ks one layer southbound.

Re: Active/Passive vs. Active/Active

jeremy.larsen — Tue, 26 Mar 2019 16:50:51 GMT

You can either span the vlan all the way through to the PAN subinterfaces or route between the PAN & the 9Ks. I prefer routing between the two and like I mentioned before, breaking up my security zones using VRF and redistributing your default gateway(s) with a dynamic routing protocol. You can do VRF on the 9Ks all day long.

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 26 Mar 2019 16:55:13 GMT

So what are you doing to redistribute routes and default routes into vrfs and global route tables?

Re: Active/Passive vs. Active/Active

jeremy.larsen — Tue, 26 Mar 2019 16:58:56 GMT

That depends on your design and preferences. You can create a 0.0.0.0/0 static route on the PAN and redistribute from there. If you are running internet facing routers, you can redistribute from there back into the PAN. Or, you can have your ISP redistribute the default into your internet facing routers and back down through. It's really up to you.

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 26 Mar 2019 18:53:04 GMT

I think focusing on the Core Switch Layer (nexus/cat9k) that has multiple VRFs that egress Layer 3 routed ports on the Core to the Core Palo FW. In order for the Palo to come back down to a different VRF the Palo needs to know about thise VRF networks in the global route table. So right now im just using static to do this but BGP could help route leak and make it easier and cleaner. Now are you saying you have ONE vRouter per vrf and then vrouters can talk to each other?

Re: Active/Passive vs. Active/Active

jeremy.larsen — Tue, 26 Mar 2019 19:19:19 GMT

Nah. I would give the PAN a single vRouter. That's your VRF convergence point. No leaking necessary.

Re: Active/Passive vs. Active/Active

stevenjwilliams83 — Tue, 26 Mar 2019 19:20:53 GMT

Yes but then you need to get all your Routing layer subnets per vrf back into the global route table so the palo can route back down to a different vrf

Re: Active/Passive vs. Active/Active

jeremy.larsen — Tue, 26 Mar 2019 21:26:37 GMT

Maybe I'm misunderstanding what you mean by "global route table". For example: Let's say you have a single PAN vRouter and all of it's attached interfaces (ie - VRFs on the 9K) all in an OSPF area 0. Then each VRF will have routes for every other VRF. But, they must be allowed through by your FW rules in the PAN. Perhaps I'm missing a piece of this equation?

Re: Active/Passive vs. Active/Active

Stevenjwilliams83 — Tue, 23 Jul 2019 12:41:45 GMT

So I have this setup and it appears to be "working" but I seem to be having some issues with ECMP and sessions. When I run a packet capture I am seeing tcp out of order messages.

My core 9500s (not stacked or using VSS) are dual connected to each Palo Alto in active/active. I have HA session owner to first packet and session setup to first packet as well.

I am seeing lots of "unknowns" "n/a" "aged-out" in my traffic logs. The core 9500s are running /30 layer 3 links to each palo. OSPF is used to advertise loopbacks into the route table and the 9500s and palos are using iBGP for the main routing protocol. I am seeing multiple-paths from the core 9500s and the palos. The 9500s are running HSRP. So OSPF is doing ecmp to loopbacks from 9500s to palos, palos doing ecmp to each 9500.

What should my ecmp settings be? Should my ha session options be different than they are?