1. Make sure you are using a use case that merits Active/Active. Usually this is two data centers very close together (HA3 = LOW LATENCY REQUIREMENTS). This also means two ISP egress points and therefore two different SNAT routable interfaces.
2. You have to have your dynamic routing set up in a way that allows you to have movable/dynamic SNAT routable interfaces (so each firewall can take over if one side goes down). You can also set this in a way that forces traffic to one firewall for egress. But then you might as well use Active/Passive.
3. If your firewalls are in the same facility, why are you using Active/Active? Just use Active/Passive. A lot of people believe there is a throughput gain from Active/Active and in "certain" scenarios there is. BUT, remember what happens if you lose a member. You have to push all that "theoretical" throughput through a single member. Build planning that one of you firewalls is down.
4. Active/Active is design to handle the asynchronous routing paradigm. If your firewalls have the same SNAT, I don't see how this applies.
Helo Jermey, All,
i was reading this forum as i was in some sort of same issue - we do have A-A Palo cluster as both firewalls sits in 2 different DCs and both having separate ISPs connected for internet. Also the NAT was all configured accordingly as well each device id bind to its respective configured ISP internet interface ip for traffic out. Also all our Firewall internal interfaces configured as HA floating ip and all our internal networks use respective floating ips of firewall as its gateway address. But course of time one ISP broken and stop using for a while, say 3- 4 years now. lol i know its been a long time to fix an isp issue but this is the history. since then node -2 where the broken isp connected was suspended. Now its immense pressure from top to put the node back to cluster as active for Full redundancy which is very reasonable request. So we connected the suspend node internet interface to the other live isp serving other node as well. Set up is like ISP connecting to layer-2 switch one one DC where we have a dedicated vlan and the internet interfaces of both firewalls are in same VLAN (we run a spanned VLAN between DCs, so it was an easy task for us to extend internet connection of firewall to other DC ISP by extending the dedicated VLAN). the firewalls internet interface have different public ips on same pool and no floating ip configured for them. Also we set up duplicate nat rules for incoming (we have many for different hosted applications using dedicated public ips in the /26 pool) and outgoing (only using interface ip of node-1 in both duplicate NAT rules) to bind to both device IDs. Once the secondary firewall back active everything works fine but after some weeks we noticed many of the hosted application performances affected and then we found "arp duplication error" on internet interface of firewalls and we immediately suspend node-2 again. This resolved the arp duplication issue immediately. But now we need to bring back node-2 to active-secondary again ASAP with a workable solution for internet traffic. So we think to make internet interfaces as well with a floating ip - bind to primary-node [please note all our LAN side interfaces already having floating ip with HA devices ID priority configured, not bind to primary node]. Will this solution going to work with out any issue? what so you think . i have spoken to couple of palo alto support engineers but they cant answer it correctly.
Please help at the earliest.
many thanks guys for reading this !
More more information to add for below
"So we think to make internet interfaces as well with a floating ip - bind to primary-node " and use NAT outgoing duplicate NAT rules bind to both devices using same floating ip. So we assume any outgoing internet traffic uses floating ip only to NAT out always in the Active-primary at any point of given time. but again will there be any issue for incoming nat traffics (many nat rules for different hosted applications) for hosted application since those are duplicated as well to bind to both device ids, but those are just virtual NAT ips only in the /26 pool and not configured for any floating ips or interface ips in the firewalls.
this sounds very similiar to my original setup and sometimes it worked and sometimes there were issues
Talking to a L3 and my se the office word from PA you need a different NAT pool on each device so NAT pool A on device A and NAT pool B on device B.
Not I spent 2-3 months working through issues about 2 years ago and again recently when i saw this post and thought about trying it again. But I'm back to A/P
what i have is a set of routers to terminate the BGP and create a public network that is streatched between DC in front of the PA so that I can talk to all ISP from either PA.
If you aren't advertising BGP to your ISP's with address space that you own, DON'T USE ACTIVE/ACTIVE FOR INTERNET TRAFFIC. It's really unclear what you are doing but it sounds like you are operating ACTIVE/ACTIVE like ACTIVE/PASSIVE. If this is the case, why not just run ACTIVE/PASSIVE? Or, if you really want to use both ISPs don't run HA at all. Run each locations firewall independently and advertise your default route at both. It sounds like you are making this more complicated than it needs to be.
Sorry not sure I gather the relevance.
I was running bgp and multiple upstreams and multipe DC. with streach vlans. Basically L3 support and SE state A/A NAT doesn't work with 1 shared ip address. not supported.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!