This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Active/Active Floating IP/Traffic Forwarding Problem

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Active/Active Floating IP/Traffic Forwarding Problem

Go to solution
dshue
L2 Linker

‎03-26-2014 08:38 AM

Hello All,

I have a support case open with PAN but I thought I would query others smarter than I.

  • 2 x PAN-2020
  • Recently enabled HA Active/Active
  • BGP on External/Currently ONLY Static Inside to Active-Primary device (0.0.0.0/0 -> Active Primary)
  • Session Owner = First Packet (only going to be Active-Primary right now do you static route)
  • Session Setup = IP-modulo
  • Floating IP - x.x.x.128 -> active-secondary preferred
  • Floating IP - x.x.x.129 -> active-primary preferred
  • 2 x GlobalProtect Portals - each using respective Floating IPs

I first noticed an issue when configuring an SSL-portal using a Floating IP.  It seems as though only the session owner can communicate with it's preferred floating IP. 

Example 1:

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.129 = WORKS!

Client A -> 0.0.0.0/0 -> active-primary -> https://x.x.x.128 = FAIL

Example 2:

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.129 = FAIL

Client A -> 0.0.0.0/0 -> active-secondary -> https://x.x.x.128 = WORKS!

From these examples, only the session owner can communicate with its respective floating IP.  I have also seen where IPSec tunnels that terminated to ONLY the Active-Primary are having intermittent issues with communicating with internal hosts.  All outbound and inbound NAT'd traffic seems to be doing wonderfully, just sessions that terminate to the firewalls themselves seem to be having issues.

I have a drawing that I can share if anyone shows interest in helping me troubleshoot.  I'm at a loss and been at if for 4 days.

TIA!

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
dshue
L2 Linker

‎04-07-2014 01:30 PM

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. Smiley Happy Hope this helps someone.

View solution in original post

0 Likes Likes
1 REPLY 1

Go to solution
dshue
L2 Linker

‎04-07-2014 01:30 PM

Gonna answer this one myself.  After talking with PA support, traffic destined to a Floating IP through it's peer was never designed to go through HA3 packet forwarding.  It is assumed that the owner of the Floating IP would always get the traffic first via ARP and the virtual mac.  In my situation, I have two /29 that communicate with the upstream ISP routers and I was attempting to use one of my /24 (BGP routed) IPs as a floater.  I was wanting to use the Floating IP as a signal point of entry for S2S VPNs.  Because of asymmetric routing and BGP, there was no way to guarantee that the Floating IP owner would 100% always receive the packet.

I'm working around this issue for now and just using a /30 that is ALWAYS statically routed to one device.  But I'm still having IPSec VPN problems, but that's another post. Smiley Happy Hope this helps someone.

0 Likes Likes
  • 1 accepted solution
  • 4377 Views
  • 1 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks