Degraded services after introducing Vwire + link aggregation deployment

Reply
Highlighted
L0 Member

Degraded services after introducing Vwire + link aggregation deployment

New guy, trying to deploy a new Palo Alto 3260 to my internet edge for extra protection - 

 

When I bring my Palo Alto 3260 inline at my internet edge, I start to experience severe packet loss almost immediately. It affects VDI View sessions and our Cisco Anyconnect solution, that live behind the Palo Alto firewall. I'm using this PA FW, temporarily, as a means to introduce DoS protection and GEO/country blocking. However, even before I could get to building and enabling those security profiles, the PA is degrading my hosted services. I built two aggregate interfaces, ae1 = outside and ae2 = inside. I added three copper connections toeach, and then applied vwire to it. I built my zones, and added the aggregate interfaces to the appropriate zone.

 

As a pretest - I setup a small network and routed it through the connecting devices that sit on each side of the PA as a test, and that worked great after moving away from LACP on the connected devices and went with standard etherchannel. However, when I swing multiple networks through the PA (multiple VLANs) I start seeing heavy packet loss and dropping 2 out of 3 packets in ping tests. 

 

Initially, I was seeing drops in the logs from the "Intrazone" pre-built security policy, but once I changed the action on that rule to "PERMIT", I was no longer seeing drops in my logs on any security feature. I'm not confident that this was the right thing to do, but it seemed to cease the drop logs. This rule seemed to appear after applying the day1configuration file. 

 

Here is the topology: 

ISP -- > internet switches (VSS pair) --> PA 3260 --> Cisco ASR ---> DMZ switches --> ASA firewall --->services

 

When I only route a single network through the PA, I can send 1k+ packets between the internet switches and ASR without any loss. 

 

 

Any thoughts/feedback on where I should be looking???

Thanks in advance!

Highlighted
L2 Linker

So, if your original [internet switches (VSS pair)] <> [Cisco ASR] link is LACP, then when you introduce a Palo firewall you do not have to build AE-based v-wire. Just create several "single-legged" v-wires. In such configuration Palo will pass-through LACP control frames and thus the new firewall will be completeley transparent to the internet switches and the ASR, and thus you won't have to change anything on them.

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClHTCA0 

You also need to make sure you specify tags of all VLANs that you want to allow on that link. By default you have only 0 that means only untagged traffic (all tagged frames will be dropped).

Highlighted
L0 Member

Thank you Nikolay!

 

I will certainely give that a try and let you know how it goes. 

 

Thanks!

Highlighted
L2 Linker

Yes, please - post the outcome here. vwire deployments are always a good fun

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!