Degraded services after introducing Vwire + link aggregation deployment

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Degraded services after introducing Vwire + link aggregation deployment

L0 Member

New guy, trying to deploy a new Palo Alto 3260 to my internet edge for extra protection - 


When I bring my Palo Alto 3260 inline at my internet edge, I start to experience severe packet loss almost immediately. It affects VDI View sessions and our Cisco Anyconnect solution, that live behind the Palo Alto firewall. I'm using this PA FW, temporarily, as a means to introduce DoS protection and GEO/country blocking. However, even before I could get to building and enabling those security profiles, the PA is degrading my hosted services. I built two aggregate interfaces, ae1 = outside and ae2 = inside. I added three copper connections toeach, and then applied vwire to it. I built my zones, and added the aggregate interfaces to the appropriate zone.


As a pretest - I setup a small network and routed it through the connecting devices that sit on each side of the PA as a test, and that worked great after moving away from LACP on the connected devices and went with standard etherchannel. However, when I swing multiple networks through the PA (multiple VLANs) I start seeing heavy packet loss and dropping 2 out of 3 packets in ping tests. 


Initially, I was seeing drops in the logs from the "Intrazone" pre-built security policy, but once I changed the action on that rule to "PERMIT", I was no longer seeing drops in my logs on any security feature. I'm not confident that this was the right thing to do, but it seemed to cease the drop logs. This rule seemed to appear after applying the day1configuration file. 


Here is the topology: 

ISP -- > internet switches (VSS pair) --> PA 3260 --> Cisco ASR ---> DMZ switches --> ASA firewall --->services


When I only route a single network through the PA, I can send 1k+ packets between the internet switches and ASR without any loss. 



Any thoughts/feedback on where I should be looking???

Thanks in advance!


L2 Linker

So, if your original [internet switches (VSS pair)] <> [Cisco ASR] link is LACP, then when you introduce a Palo firewall you do not have to build AE-based v-wire. Just create several "single-legged" v-wires. In such configuration Palo will pass-through LACP control frames and thus the new firewall will be completeley transparent to the internet switches and the ASR, and thus you won't have to change anything on them. 

You also need to make sure you specify tags of all VLANs that you want to allow on that link. By default you have only 0 that means only untagged traffic (all tagged frames will be dropped).

Thank you Nikolay!


I will certainely give that a try and let you know how it goes. 



Yes, please - post the outcome here. vwire deployments are always a good fun

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!