11-24-2015 02:37 PM
I am currently working on a network redesign project with all Cisco gear. Our network engineer is opting for a complete HSRP Active/Active environment. According to all deployment documentation, HA Active/Passive seems to be the preferred methed for the Palo Alto's. I see that the PA's do support A/A HA using VRRP, so I do not see a configuration issue. Can someone provide the pro's and con's of deploying the PA's in an A/P vs. A/A environment? Are there any performance implications? Are there any issues when using the PA's in an A/A configuration for VPN termination, etc...?
07-23-2019 08:38 AM
looks like each palo is marking the path to the standby hsrp peer for a vlan as ecmp preferred path. Is this an issue? What does that mean axactly?
07-23-2019 09:10 AM
Do you recall what had to be done with ecmp in an iBGP mesh? Was it palo alto side or Router/swtich side?
07-23-2019 09:11 AM
Like I said earlier, can you ditch the HSRP and have BGP peers with both 9500s?
07-23-2019 09:13 AM
You can read this. It only applies to Juniper. Page 8 - https://www.juniper.net/assets/us/en/local/pdf/whitepapers/2000565-en.pdf
07-23-2019 09:16 AM
HSRP is only lan side for servers and clients. Layer 3 routed ports from each 9500 to each palo, iBGP full mesh.
07-23-2019 09:22 AM
Ya Doesn't apply here since I am fully meshed not using route reflectors. This is because route reflectors will only insert the one BGP route in the route table as a method of loop prevention. Its a real killer actaully.
07-23-2019 09:29 AM
Gotcha. Perhaps this is more what you are looking for on the Cisco side?
I'm only finding ECMP articles on PAN related to eBGP.
07-23-2019 09:31 AM
I agree, there seems to be a lack of iBGP material, I am wondering it is because normally when BGP is involved you are running them at the edge and peering eBGP with your ISP.
07-23-2019 09:33 AM
Have you considered porting from iBGP to eBGP. Give each PAN and each 9500 it's own AS? Might be worth labing it out.
04-08-2020 06:01 PM
Would mind elaborating how you are running active/active in vwire mode?
I am looking at how to use vwire behind a Check Point Cluster as an interim measure until the Palo's replace the Check Points.
04-17-2020 07:04 AM
We are running PA 5050 in vwire mode.
What specific info you need?
04-19-2020 02:30 PM
I'm trying to understand the best option when putting 2 x PA NGFW's in Active/Passive, each with Vwire's between a Check Point 2-Node Active/Passive Cluster and 2 x L3 Switches. My specific concern was how the Active PA NGFW would follow the Active Check Point Cluster Node in a fail-over event. My concern quickly switched however when VSLS was enabled to make the Check Point Cluster Active/Active. Now I am trying to understand the implications of PA Active/Active Vwire's in a failure scenario.
My backup plan is no HA with TCP syn check disabled and to be honest will most likely be the chosen option as we're in emergency response mode for this work.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!