topic Re: Degraded services after introducing Vwire + link aggregation deployment in General Topics

Degraded services after introducing Vwire + link aggregation deployment

stephens112 — Sat, 24 Oct 2020 19:28:31 GMT

New guy, trying to deploy a new Palo Alto 3260 to my internet edge for extra protection -

When I bring my Palo Alto 3260 inline at my internet edge, I start to experience severe packet loss almost immediately. It affects VDI View sessions and our Cisco Anyconnect solution, that live behind the Palo Alto firewall. I'm using this PA FW, temporarily, as a means to introduce DoS protection and GEO/country blocking. However, even before I could get to building and enabling those security profiles, the PA is degrading my hosted services. I built two aggregate interfaces, ae1 = outside and ae2 = inside. I added three copper connections toeach, and then applied vwire to it. I built my zones, and added the aggregate interfaces to the appropriate zone.

As a pretest - I setup a small network and routed it through the connecting devices that sit on each side of the PA as a test, and that worked great after moving away from LACP on the connected devices and went with standard etherchannel. However, when I swing multiple networks through the PA (multiple VLANs) I start seeing heavy packet loss and dropping 2 out of 3 packets in ping tests.

Initially, I was seeing drops in the logs from the "Intrazone" pre-built security policy, but once I changed the action on that rule to "PERMIT", I was no longer seeing drops in my logs on any security feature. I'm not confident that this was the right thing to do, but it seemed to cease the drop logs. This rule seemed to appear after applying the day1configuration file.

Here is the topology:

ISP -- > internet switches (VSS pair) --> PA 3260 --> Cisco ASR ---> DMZ switches --> ASA firewall --->services

When I only route a single network through the PA, I can send 1k+ packets between the internet switches and ASR without any loss.

Any thoughts/feedback on where I should be looking???

Thanks in advance!

Re: Degraded services after introducing Vwire + link aggregation deployment

Nikolay-Matveev — Mon, 26 Oct 2020 01:10:51 GMT

So, if your original [internet switches (VSS pair)] <> [Cisco ASR] link is LACP, then when you introduce a Palo firewall you do not have to build AE-based v-wire. Just create several "single-legged" v-wires. In such configuration Palo will pass-through LACP control frames and thus the new firewall will be completeley transparent to the internet switches and the ASR, and thus you won't have to change anything on them.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHTCA0

You also need to make sure you specify tags of all VLANs that you want to allow on that link. By default you have only 0 that means only untagged traffic (all tagged frames will be dropped).

Re: Degraded services after introducing Vwire + link aggregation deployment

stephens112 — Fri, 30 Oct 2020 14:52:12 GMT

Thank you Nikolay!

I will certainely give that a try and let you know how it goes.

Thanks!

Re: Degraded services after introducing Vwire + link aggregation deployment

Nikolay-Matveev — Fri, 30 Oct 2020 15:08:48 GMT

Yes, please - post the outcome here. vwire deployments are always a good fun