Connection of Palo-Alter HA A/P pair to pair of non stackable switch/router

VMAntonenko · ‎09-10-2020

Hello,
We faced a problem with reliable connection of Palo-Alto firewall HA A/P pair to not stackable pair of switches/routers (i.e. Cisco 6500, Huawei NE40E ) with static routing and FHRP.

To make this connection we used one VLAN-interface + 2 L2 interfaces on the side of Palo-Alto HA A/P cluster, and SVI + HSRP(VRRP) + L2 interfaces on the switch-pair side. Physical topology is full-mesh (each firewall connected to each switch)
In normal situation two switches and firewall formed a L2-triangle, and secondary root switch blocked interface faced to firewall.

Connection worked fine, until we reboot one switch (STP primary root).
After rebooting switch, services was not interrtupted yet. Earlier mentioned port on secondary root switch transited to forwarding state, firewall learnt mac-addresses via one remaining L2-interface (i.e. Eth2), at this step network still works fine.
After STP primary root switch loaded, it became the STP-root again, L2 triangle formed, and porton the secondary root switch faced to Eth2 transited to blocked state, but firewall did not knew this and continued to forward packets via Eth2 interface by MAC-entries learnt while first switch was down. This situation caused service interruption that was addressed by manual clearing arp-table on firewall, after that firewall learned new entries via interface faced to STP primary root switch.

Is there any validated configuration example to achive reliable connection in this environment.

Some vendors has "Redundant Interface" functionality to achieve this, but we can't find any similar solutions on Palo-Alto firewalls.

We use VRRP and static routing to keep configuration simple.

Abdul-Fattah · ‎09-10-2020

@VMAntonenko it would help if you put a draw of your current network design.

VMAntonenko · ‎09-10-2020

Hi, thank for comment.

At first did not noticed image attachement function.

In case of shut C6506-2, traffic from PA forwarded to Eth1/5.421, but after switch recover traffic still forwarded to Eth1/5.421 even if Gi6/44 of C6506-1 is already in Alternate/Blocking state.

So we have to clear ARP-entries on PA or wait for ARP entry aging.

Possible solution is connection on firewall to only one switch and configure "link monitor", but i think such minor issue like phisical link failure should not lead to HA Cluster failover, especially in case of high-loaded business sensitive application.

In general, failover on Palo-Alto works fine, but i.e. on PA-5060 with hundreds on thousands of TCP connections, some of which is long-term. During failover some connections is missing, and in my experience in our company failover event often noticed by related departments.

Abdul-Fattah · ‎09-10-2020

Hi,

another solution can be, Clustering the two Cisco Switches and configure both links on both switches and each Firewall as LAG.

VMAntonenko · ‎09-10-2020

Yes, i always doing LAGs in such cases, but sometimes we have to deal with devices without M-LAG functionality.
Like existing C6506 pair, no way that we ever cluster them via VSS, or it may be Huawei Net Engine Routers.
I can not believe that PA firewalls was never connected to non-stacked switches, so i asked community

Abdul-Fattah · ‎09-10-2020

actually i thought ive deleted this comment after passing through your question title again.

Good luck.

Connection of Palo-Alter HA A/P pair to pair of non stackable switch/router

Connection of Palo-Alter HA A/P pair to pair of non stackable switch/router

Show your appreciation!