We have the setup as shown below,
In this scenario, Layer 2 switch (2960) showing the MAC address of the Exchange server learnt through the interface of the switch Gi 0/1 which connects to the PAN firewall in V-wire mode to an ASA .
We connected PA direclty to Core switch and made a static entry in switch for MAC address entry the port where exchange server is connected. Now it is working.
But we need permanent fix and the reason why PaloAlto id doing this? :( we have more info after the below snap
troubleshoot an issue seen with connectivity to Exchange server cluster IP 172.16.12.190 from any of the remote locations and when the issue occurred, we could notice that the Layer 2 switch showing the MAC of the end host learnt through the interface of the switch Gi 0/1 which connects to the PAN firewall in V-wire mode to an ASA. Though the traffic path for reaching this server does not involve the PAN V-Wire, when the issue occurred, the flow shows at the receive stage in PAN packet capture and traffic logs. The issue is not seen when PAN V-wire is removed from the connectivity.
Are you sure that traffic is not passing through the PA firewall? Remove the static mac entry and do a traceroute check. The traffic from the exchange server is going to remote sites(left side)?
This is extremely odd as we have tested this exact configuration without the issues you are having. A few questions:
1) What version of PAN-OS are you running?
2) Are there any NAT translations for the Exchange server configured in the ASA?
3) Do you have any NAT rules for the Exchange server on the Palo Alto (asuming no as it's in VWire mode)
4) Do you have any security policies configured on the Palo Alto
I have seen some issues with 7.0.2 and 7.0.3 where if you have configured multiple Palo Alto virtual routers on the same vsys with ports connected to the same network (say Internet) advertise MAC addresses on the wrong interface (NAT), but this is all layer 3. I have never seen something like this in VWire.
I would check your STP, make sure that your Core is setup as the root bridge, validate your VTP (if you use it), and check layer 2. I would also make sure your in VWire mode and not Layer 2 mode on the Palo Alto. As a test I would also allow all VLANS (0-4096) on the VWire.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!