https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/323082#M82568 <P>Thanks Reaper - I managed to fix my issue, it was related to the fact that the interface names were different; I got caught up on the interface name having a .VLANID (e.g. eth1/1.800), I can probably blame Cisco for that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>After matching the interface names (and modifying VLAN tags accordingly), all works well.</P><P>&nbsp;</P><P>Cheers</P> Thu, 16 Apr 2020 07:40:24 GMT ikunduraci 2020-04-16T07:40:24Z https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/322054#M82404 <P>Hi all,</P><P>&nbsp;</P><P>Is active/active mode supported with Layer3 sub-interfaces? I'm trying this in a lab with 2 VM-50's, and whilst the cluster is formed, I seem to have intermittent packet loss; not sure if this is just a limitation of the VM series (in particular, VM-50) or the fact that they are not true layer-3 interfaces? The customer has a pair of 5220's for a greenfield deployment, but we are planning on using layer3 sub-interfaces.</P><P>&nbsp;</P><P>Both firewalls obviously have the same interface config (VLAN ID, tag etc;) albeit 1 node has IP's configured for VLAN 800-805, whilst the second node has IP's configured for VLAN 806-810. VR is not sync'd between the firewalls and each firewall has individual BGP peerings to the upstream and downstream router.</P><P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="ikunduraci_0-1586485565049.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/25038i3DD932619AE27982/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="ikunduraci_0-1586485565049.png" alt="ikunduraci_0-1586485565049.png" /></span></P><P>The vSwitch with HA3 interface has MTU 9000. Session owner and session setup is set for first-packet.</P><P>&nbsp;</P><P>We require active/active due to asymmetric paths; the routers see ECMP paths through each firewall so depending on the hash, we can't guarantee return traffic through the same firewall node.</P> Fri, 10 Apr 2020 02:26:21 GMT https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/322054#M82404 ikunduraci 2020-04-10T02:26:21Z https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/322807#M82529 <P>Yes this is supported</P><P>&nbsp;</P><P>Have you found any indication why and where packet loss occurs? Not sure if a VM environment is the best place for AA</P> Wed, 15 Apr 2020 05:35:49 GMT https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/322807#M82529 reaper 2020-04-15T05:35:49Z https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/323082#M82568 <P>Thanks Reaper - I managed to fix my issue, it was related to the fact that the interface names were different; I got caught up on the interface name having a .VLANID (e.g. eth1/1.800), I can probably blame Cisco for that <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P><P>After matching the interface names (and modifying VLAN tags accordingly), all works well.</P><P>&nbsp;</P><P>Cheers</P> Thu, 16 Apr 2020 07:40:24 GMT https://live.paloaltonetworks.com/t5/general-topics/active-active-ha-with-layer3-sub-interfaces/m-p/323082#M82568 ikunduraci 2020-04-16T07:40:24Z