Active/Active Floating IP/Traffic Forwarding Problem

Reply
Highlighted
L2 Linker

Active/Active Floating IP/Traffic Forwarding Problem

Hello All,

I have a support case open with PAN but I thought I would query others smarter than I.

  • 2 x PAN-2020
  • Recently enabled HA Active/Active
  • BGP on External/Currently ONLY Static Inside to Active-Primary device (0.0.0.0/0 -> Active Primary)
  • Session Owner = First Packet (only going to be Active-Primary right now do you static route)
  • Session Setup = IP-modulo
  • Floating IP - x.x.x.128 -> active-secondary preferred
  • Floating IP - x.x.x.129 -> active-primary preferred
  • 2 x GlobalProtect Portals - each using respective Floating IPs

I first noticed an issue when configuring an SSL-portal using a Floating IP.  It seems as though only the session owner can communicate with it's preferred floating IP. 

Example 1:

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.129 = WORKS!

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.128 = FAIL

Example 2:

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.129 = FAIL

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.128 = WORKS!

From these examples, only the session owner can communicate with its respective floating IP.  I have also seen where IPSec tunnels that terminated to ONLY the Active-Primary are having intermittent issues with communicating with internal hosts.  All outbound and inbound NAT'd traffic seems to be doing wonderfully, just sessions that terminate to the firewalls themselves seem to be having issues.

I have a drawing that I can share if anyone shows interest in helping me troubleshoot.  I'm at a loss and been at if for 4 days.

TIA!


Accepted Solutions
Highlighted
L2 Linker

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. :smileyhappy: Hope this helps someone.

View solution in original post


All Replies
Highlighted
L2 Linker

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. :smileyhappy: Hope this helps someone.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!