DIPP A/A Enviroment Floating IP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

DIPP A/A Enviroment Floating IP

L1 Bithead

Hi Guys,

 

we´ve an Active/active Cluster enviroment. For the normal Internetconnection we will use Source/Hide NAT (DIPP).

At the moment we will NAT on both firewalls the traffic through the interface IP. This works fine, the failover is

ok only one paket lost during failover. The proble is, that in the case of an failover the Users will access the webservers with an other IP-Adress. Now, the Users are using services which recognize that and they will clothe the session.

So, we decide us to use a floating IP for NAT. So far so good. We´ve configure two identical NAT policies and

bind onde to device 0 and one to device 1. In a normal situation it works and I can see the NAT policy on the firewall
if I make tshoot via CLI. But in a failover condition (I´ve reboot the primary device). The connection is broken and
I can´t see any NAT entry on the second firewall. What we´ve done wrong. I´ve found this config example in a PAN document.
Any other Idea, how we can realizied our main goal (one IP toe the outside)?

 

Just for information. On the inside network, we also use floating IP to access the firewall.

So all clients have only the floating IP as a default gateway.....

 

I hope that someone have an idea.....

 

BR M

3 REPLIES 3

L3 Networker

Hi Mate, 

 

Cool article at the link below talks about this. 

 

Also mentions some limitations with what you are trying to achieve. 

 

Mainly 'You cannot configure NAT for a floating IP address that is bound to an active-primary firewall'

 

https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/use-case-configure...

 

Best regards, 

 

Robert d 

Cyber Elite
Cyber Elite

Hi

 

Is there a specific reason you configured your cluster as Active/Active?

There's only a few scenarios where A/A would be beneficial and these are when asymmetric traffic is expected or when dynamic routing needs active peers for fast failover

if neither is the case, your config can be dramatically simplified at no cost of failover times and with increase in firewall throughput (as no portion of the resources need to be dedicated to the A/A communication between both peers)

 

in A/P you can simply configure NAT rules that will travel along with the Active peer and all the interface IP addresses will also follow (gratuitous ARP)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Hi,

 

we have special VPN´s for panorama connection and don´t use the MGMT Ports for that.

So, we can´t monitor the secondary firewall and have some more restrictions.

And of course, one of them is dynamic routing (OSPF) and VPN´s.

 

I know the article from the admin guide, but in this example, they use two floating
IP´s (one on every firewall), so we´ve the problem, that we use two different IP´s

when we go to outside.

 

One other solution, what we´ve found in an other article, use two identicle NAT entries,

without a floating IP. The problem with that solution is the duplicate IP error on the WAN Network.....

 

 

  • 2212 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!