Active/Active Floating IP/Traffic Forwarding Problem

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active/Active Floating IP/Traffic Forwarding Problem

L2 Linker

Hello All,

I have a support case open with PAN but I thought I would query others smarter than I.

  • 2 x PAN-2020
  • Recently enabled HA Active/Active
  • BGP on External/Currently ONLY Static Inside to Active-Primary device (0.0.0.0/0 -> Active Primary)
  • Session Owner = First Packet (only going to be Active-Primary right now do you static route)
  • Session Setup = IP-modulo
  • Floating IP - x.x.x.128 -> active-secondary preferred
  • Floating IP - x.x.x.129 -> active-primary preferred
  • 2 x GlobalProtect Portals - each using respective Floating IPs

I first noticed an issue when configuring an SSL-portal using a Floating IP.  It seems as though only the session owner can communicate with it's preferred floating IP. 

Example 1:

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.129 = WORKS!

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.128 = FAIL

Example 2:

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.129 = FAIL

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.128 = WORKS!

From these examples, only the session owner can communicate with its respective floating IP.  I have also seen where IPSec tunnels that terminated to ONLY the Active-Primary are having intermittent issues with communicating with internal hosts.  All outbound and inbound NAT'd traffic seems to be doing wonderfully, just sessions that terminate to the firewalls themselves seem to be having issues.

I have a drawing that I can share if anyone shows interest in helping me troubleshoot.  I'm at a loss and been at if for 4 days.

TIA!

1 accepted solution

Accepted Solutions

L2 Linker

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. Smiley Happy Hope this helps someone.

View solution in original post

1 REPLY 1

L2 Linker

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. Smiley Happy Hope this helps someone.

  • 1 accepted solution
  • 4378 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!