This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

A/A Cluster Routing problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

A/A Cluster Routing problem

mschwab
L1 Bithead

‎04-13-2017 02:22 AM

Hi,

 

I´ve a A/A Cluster Setup, where the firewall 0 is primary and the most traffic goes that way.
We use OSPF for the routing over the VPN tunnel and some tunnel are configured with a better metric over

the secondary firewall. We want to make some loadsharing over two different internetconnections.

When I take a look in the routing table of firewall 0 everything looks ok. The route goes to firewall 1 (secondary),

but If I try to ping from firewall 0 something behind the VPN, I can´t reach it.

 

If I use the LAN Interface from Firewall 1 (of course, the same IP network and Zone) everything is ok.
So I take a look on the Logging on Firewall 1, but I can´t see any traffic from firewall 0.

So my next step is a paket capture. There I can see, that firewall 1 receive the ICMP requests from firewall 0.

So firewall 1 drop the requests, but why ? Policies must be ok, otherwise I can´t ping from the LAN interface od firewall 1.
May be a normal behavior from an A/A cluster ?

 

Any ides for troubleshooting ?

 

BR M

0 Likes Likes
6 REPLIES 6

reaper
Cyber Elite
Cyber Elite

‎04-14-2017 01:21 AM

I'm not sure I understand your issue, but may I ask why you are using an Active Active cluster?

 

is it to achieve 'loadsharing' between 2 ISPs? This can be achieved much simpler in an AP cluster which will also simplify any dynamic routing troubleshooting

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

BPry
Cyber Elite
Cyber Elite

‎04-14-2017 06:32 AM

I hate the auto-translate bots. Honestly I'm not sure what you are asking? Active/Active configurations are very rarely actually needed and on-top of that it's rarer yet that they are configured properly. Without actually knowing exactly what the issue is (it sounds like a routing issue) and what you actually need help with we can't really help you troubleshoot anything. If your routes are fine or at least look fine to you, then I would start looking at the policies and see if there isn't something wrong there. 

 

Active-Active is really only best used when you have a large amount of async routing taking place, for everything else theres PBF which usually works far better. 

0 Likes Likes

mschwab
L1 Bithead
In response to BPry

‎04-18-2017 06:32 AM

Sorry, that my english isn´t got so perfect as yours, but I´m not a nature speaker....

 

So, I will try to explain my problem with a picture.

 

fw.PNG

First thing, yes we must use an a/a cluster.

My problem:

A client in the network 192.168.1.0/24 try to reach a Server (10.0.0.1) which is connected over VPN to the FW1 (secondary).

The Client has a default gateway configured to the 192.168.1.1 (a floating IP which is active on FW0). FW0 has a route to the VPN 10.0.0.0/24 from FW1 via OSPF.

 

Do we ping now the server from the client, i can see that the packets reach FW0 (green row) this firewall redirects the packets to FW1 (red row). With paket capture I can see that the packet reach FW1, but I can´t see the packets in the logs....

Of course, normaly I would say it´s a ploicy problem, but the policy is ok. I can ping the server from the FW1 LAN interface (192.168.1.3). A ping from FW0 LAN Interface is also not possible.

 

BR M

 

0 Likes Likes

reaper
Cyber Elite
Cyber Elite
In response to mschwab

‎04-18-2017 06:55 AM

Don't worry about your English, it is fine 🙂

 

An A/A cluster (unlike possbly other vendors) should be considered a single system with some redundancy built in, so this kind of setup will probably have you hit policy/internal routing issues . Have you tried setting up packet-diag filters and tracking global counters to see if your packets are being discarded ?

 

You'll probably need a multi-vsys environment so no policy/routing conflicts are encountered when bouncing packets between systems (plus you'll probably also encounter non-syn drops because bouncing packets off the firewall required u-turn NAT)

 

you could consider creating a vpn tunnel with both nodes and using IP-modulo to balance between the 2 or set a preferred IP for your remote server on FW2 and add routes to your endpoints

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization
0 Likes Likes

jsalmans
L4 Transporter
In response to reaper

‎04-18-2017 08:14 AM

I believe we have currently have a similar setup between our A/A firwalls and a VMWare cloud setup.

 

Previously we just used the VPN for some remote monitoring and return traffic but, due to an asymmetric route issue, we've got it setup to use the tunnel for bidirectional traffic.

 

Each of my firewalls has a static route set for the appropriate network range with a next-hop as the tunnel interface.  Looking at your diagram it got me wondering if I wouldn't see some dropped packets with my current deployment since the secondary firewall doesn't have an active IKE session and, therefore, the tunnel targeted in the next-hop wouldn't be active.

 

Running a trace/ping test with WinMTR I can see my test go to the secondary firewall, followed by a "No response from host" entry, followed by the gateway for the remote cloud at the other end of the tunnel, and then the server.  Theoritically I should occassionally see a new version of this test going to the active firewall instead but so far it's just been the secondary.

 

I may be wrong but it seems like what may is happening here is that, like @reaper mentioned, the A/A firewalls act as one system so the secondary seems to be aware that it is not the one with the active connection through that tunnel at this time and moves the traffic over to the primary firewall (perhaps where I'm seeing the "No response from host") and then the traffic follows the static route and flows down the tunnel.

0 Likes Likes

mschwab
L1 Bithead
In response to jsalmans

‎04-21-2017 02:57 AM

Hi guys,

 

ok, I´ve rebuild this setup on an PA-500 A/A cluster, with static routes.

Static route client to firewall, static route firewall to tunnel and on the other side also.

The Client route point to the physical interface no on the floating IP.

And if I understand JSALMANS right, this must be work....

 

If the firewall is the primary one everything is ok, but is it the secondary, I can see that the pakets got to the the, so far so good.

But the backward pakets I can´t see on the Firewalls logs. I can see that the pakets goes into the tunnel on the firewall (Server Side). If I use paket capture on the tunnel interface (on the Firewall client side) I can see that the firewall receives the paket...

But after that ????????? If I make the firewall to the primary, everything is fine......

 

Is it possible, that the paket goes over the HA link to the primary firewall (I´ve also look at the logs there, but nothing).

 

very strange

 

THX a lot

0 Likes Likes
  • 2436 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks