Active/Active HA3 issue

Hi all,

I have a client which run a stretched active/active HA cluster with a dark fiber between them. So HA1, HA2, HA3 links are not really cables, but layer2 VLANs. It seems fine, as it has somehow worked a long time, but this is what I’ve noticed:

When I issue “show counter global filter severity drop”:

efellows@palo-alto-1(active-primary)> show counter global filter severity drop

Global counters:
Elapsed time since last sampling: 1.220 seconds

name                                   value     rate severity  category  aspect    description
--------------------------------------------------------------------------------
pkt_recv_err                               5        0 drop      packet    pktproc   Packet receive error
flow_rcv_err                             165        0 drop      flow      parse     Packets dropped: flow stage receive error
flow_policy_deny                         306        0 drop      flow      session   Session setup: denied by policy
flow_tcp_non_syn_drop                  99371        9 drop      flow      session   Packets dropped: non-SYN TCP without session match
flow_fwd_ip_df                             7        0 drop      flow      forward   Packets dropped: exceeded MTU but DF bit present
flow_parse_l4_cksm                        42        0 drop      flow      parse     Packets dropped: TCP/UDP checksum failure
flow_parse_l4_port                        96        0 drop      flow      parse     Packets dropped: illegal TCP/UDP port 0
flow_action_close                     193599       19 drop      flow      pktproc   TCP sessions closed via injecting RST
flow_action_reset                      32715        0 drop      flow      pktproc   TCP clients reset via responding RST
flow_host_decap_err                       12        0 drop      flow      mgmt      Packets dropped: decapsulation error from control plane
tcp_drop_decrypt_packets                   3        0 drop      tcp       pktproc   number of decrypted packets get dropped
ha_aa_pktfwd_err_decap                 35620        0 drop      ha        aa        Active/Active: packet-forwarding decap error
proxy_url_request_pkt_drop                35        0 drop      proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy
url_request_pkt_drop                    4836        0 drop      url       pktproc   The number of packets get dropped because of waiting for url category request
--------------------------------------------------------------------------------
Total counters shown: 14
--------------------------------------------------------------------------------

I see a lot of ha_aa_pktfwd_err_decap drops and they are constantly growing. I’ve seen in the Active/Active HA guide that HA3 link can be layer2 link, but it MUST support jumbo frames end to end. Right now that’s not the case, because they are going through the core switch which must be rebooted to enable jumbo frames which can not be done easily. I have not yet enabled globally jumbo frames on the PA devices neither.

So my questions are:

1. Is this something normal or is it a sign of a problem?
2. Do you expect to be fixed if we enable jumbo frames on PA devices and on the network switches end to end?
3. The old devices (PA-2050) ran exactly the same setup and configuration. Unfortunately I have not checked this counter on them. But I checked that PA-2000 does not support jumbo frames at all. At the same time it is said that when running active/active jumbo frames are a must. And PA-2000 normally support active/active. So what’s the true here? How does PA-2000 run active/active and transmit packets over HA3 when they do not support jumbo frames and how this affects operations?