Same Mac address shared by two paloalto firewalls

Reply
Highlighted
Not applicable

Same Mac address shared by two paloalto firewalls

Hi,

I have seen strange behaviour between two palo alto firewalls.

I have pair of PA-3020 and Pair of PA-500 in Active/standby scenario. They serve two different networks but to provide interconnect between two networks they (Eth 1/3) are connected to Cisco Nexus switch via FEX (VLAN 129). Has anyone seen a case where two different models of the firewall connected via same vlan share same mac address?

admin@CFWL02(active)> show arp all

interface         ip address      hw address        port         status   ttl 

--------------------------------------------------------------------------------

ethernet1/3.129   10.224.63.33    00:1b:17:00:01:12 ethernet1/3    c      1487

admin@MFWL02(active)> show arp all

interface         ip address      hw address        port         status   ttl 

--------------------------------------------------------------------------------

ethernet1/3.129   10.224.63.36    00:1b:17:00:01:12 ethernet1/3    c      1627

L2S01# sh mac address-table vl 129

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

+ 129      001b.1700.0112    dynamic   0          F    F  Po1000

L2S01# sh mac address-table vl 129

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

* 129      001b.1700.0112    dynamic   10         F    F  Eth122/1/47

I will appreciate your help if you advise me.

Thanks

RT


Accepted Solutions
Highlighted
L7 Applicator

Re: Same Mac address shared by two paloalto firewalls

In this case, you have set Group-ID =1 for both HA pairs.

00:1b:17:00:01:12    ethernet1/3 

View solution in original post


All Replies
Highlighted
L7 Applicator

Re: Same Mac address shared by two paloalto firewalls

Hello good morning,

As you mentioned before, both pairs are part of high-availability. Could you please confirm if HA "group ID" also same in both HA environments. If "group-ID" is same for both pairs, there there is s possibility to have an identical virtual MAC.

How to Calculate a Virtual MAC Address

It is recommended to have different "group-ID" inside a same network for different HA pair, in order to avoid packet loss.

Hope this helps. :smileyhappy:

Thanks

Highlighted
L7 Applicator

Re: Same Mac address shared by two paloalto firewalls

In this case, you have set Group-ID =1 for both HA pairs.

00:1b:17:00:01:12    ethernet1/3 

View solution in original post

Highlighted
Not applicable

Re: Same Mac address shared by two paloalto firewalls

Spot on !!!! Thanks for your help.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!