PAN in Layer 2 mode and Microsoft NLB

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

PAN in Layer 2 mode and Microsoft NLB

L2 Linker

Hi!

Customer configured Palo firewall to work in Layer 2 mode to protect VLAN. In that VLAN there are two servers in MS NLB configuration. In VLAN configuration in Palo, static MAC entry is configured for virtual MAC address, but that entry isn't displayed with show mac command. See attached picture and listing:

mkopcic@PA-4020> show mac Bridge_4-440 | match 02:bf:0a:0b:08:f8

mkopcic@PA-4020>

Application (HTTP portal) works if real IP adresses are used, but if virtual IP adress is used, application is unreachable. Ping to virutal IP address is working. On Palo I captured dropped packets and saw that Palo is dropping traffic to NLB virtual address. See attached file.

Does anyone have idea why Palo is dropping traffic?

Best regards,

Maja

4 REPLIES 4

L2 Linker

Traffic blocked on Palo looks like that:

Source IPx, MACx  ->   Dest: IP virtual, MAC virtual     SYN

Source: IP virtual, MAC real  ->   Dest: IPx, MACx      SYN ACK

Does Palo drop session because is getting response from different MAC address?

And why NLB works ok on virtual-wire configurations???

Thank you and regards,

Maja

Maja, I recommend opening a case with Support for further analysis of your issue.

L6 Presenter

anyone has a solution for that

We don't use our Palo Altos in L2 mode; but in L3 mode we need to place a static ARP entry mapping the NLB IP address through to the NLB MAC address on the firewalls.

This obviously isn't going to apply to an L2 firewall - but do you have a static ARP entry defined on whichever L3 router/devices that are on the same subnet as the NLB address and communicating with it?

  • 3945 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!