11-24-2015 02:37 PM
I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?
03-26-2019 11:53 AM
I think focusing on the Core Switch Layer (nexus/cat9k) that has multiple VRFs that egress Layer 3 routed ports on the Core to the Core Palo FW. In order for the Palo to come back down to a different VRF the Palo needs to know about thise VRF networks in the global route table. So right now im just using static to do this but BGP could help route leak and make it easier and cleaner. Now are you saying you have ONE vRouter per vrf and then vrouters can talk to each other?
03-26-2019 12:19 PM
Nah. I would give the PAN a single vRouter. That's your VRF convergence point. No leaking necessary.
03-26-2019 12:20 PM
Yes but then you need to get all your Routing layer subnets per vrf back into the global route table so the palo can route back down to a different vrf
03-26-2019 02:17 PM - edited 03-26-2019 02:26 PM
Maybe I'm misunderstanding what you mean by "global route table". For example: Let's say you have a single PAN vRouter and all of it's attached interfaces (ie - VRFs on the 9K) all in an OSPF area 0. Then each VRF will have routes for every other VRF. But, they must be allowed through by your FW rules in the PAN. Perhaps I'm missing a piece of this equation?
07-23-2019 05:41 AM
So I have this setup and it appears to be "working" but I seem to be having some issues with ECMP and sessions. When I run a packet capture I am seeing tcp out of order messages.
My core 9500s (not stacked or using VSS) are dual connected to each Palo Alto in active/active. I have HA session owner to first packet and session setup to first packet as well.
I am seeing lots of "unknowns" "n/a" "aged-out" in my traffic logs. The core 9500s are running /30 layer 3 links to each palo. OSPF is used to advertise loopbacks into the route table and the 9500s and palos are using iBGP for the main routing protocol. I am seeing multiple-paths from the core 9500s and the palos. The 9500s are running HSRP. So OSPF is doing ecmp to loopbacks from 9500s to palos, palos doing ecmp to each 9500.
What should my ecmp settings be? Should my ha session options be different than they are?
07-23-2019 08:01 AM
If you are using ECMP what is the point os HSRP? Doesn't that kind of defeat the purpose of ECMP by forcing your path one direction?
07-23-2019 08:04 AM
I do not follow?
Each active hsrp peer is connected to each palo alto, so any routes beyond the palo alto can be reach through both palo altos.
07-23-2019 08:15 AM
Full mesh iBGP so Palo1 (172.16.63.3) knows that network 192.168.21.0/24 lives at Core01 (172.16.63.1) and Core02 (172.16.63.2), same for Palo2.
But now I think I see what you are saying.....the traffic is only going to be forwarded to the active peer for that hsrp group correct? I wonder if I am seeing issues because its trying to send to both peers? So my 9500s are the only ones that seem to need to use ecmp and not the palos.
But I have things connected northbound to both palos which ecmp would be good for..So not sure.
07-23-2019 08:19 AM
I'm just saying usually you don't mix both HSRP and ECMP. HSRP - Layer 2 failover mechanism. ECMP - Layer 3 load balancing mechanism.
07-23-2019 08:20 AM
Have you enabled ECMP on the Palos? If you are using iBGP instead of eBGP, there are extra hoops to jump through when enabling ECMP.
07-23-2019 08:22 AM
yes ecmp on palos.
iBGP not eBGP.
I have not seen much relating to ECMP and iBGP, so what other hoops are there?
07-23-2019 08:29 AM
Ok so I see something that sticks out to me.
What does ecmp preferred path mean? How is this chosen?
07-23-2019 08:32 AM
I've really only tacked iBGP with ECMP int he lab with Juniper equipment and PANs in Active/Passive. You'll have to some research on this for Cisco. Are you running your PANs independently or in an Active/Active pair?
07-23-2019 08:34 AM
Active/active pair. Thought about splitting them to standalone active/active but then worried about session state if one failed.
07-23-2019 08:36 AM
No, you're doing it right. If you split them all asynchronous traffic will get dropped since session states won't be synced between the two.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
