HA Active Active Asynchronous Routing Issue

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

HA Active Active Asynchronous Routing Issue

L1 Bithead
Have two PA vm 1000hv setup in active active HA. They see each other on HA 1,2, and 3 link and synching configs (not vr configs). We have an asynchronous routing scenario that is temporary for now, but need it to work. However, the FWs appear to be dropping traffic. I haven't looked at the counters to indicate dropped asynchronous traffic yet, but it's obvious that it's happening as when we stop the loop on routing, we can hit hosts. Anyway, I was wondering if there were known issues with Active Active HA with this type of behavior? Thanks
3 REPLIES 3

L7 Applicator

With A/A you can have assymetrical flows.  But they do need to maintain the zone relationship that match the session for the flow.  So make sure the policy that permits the traffic has the zone to zone setup needed for the communication across the two devices.

 

Easiest way to troubleshoot this kind of flow is to do the trace route from both devices and then map the interfaces hit by the packets in the flow on the two PA devices.  Then lookup the zone assignments and confirm the policy is in place in the correct direction by initiator of the traffic.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Thanks for the response. 

 

We have all interfaces in the same zone and have a policy to permit any any (testing right now). I did move interfaces around in different zones, making sure both FW's matched. We still had the same results.

Doing a show counters global, I didn't see any hits on the stat: flow_tcp_non_syn_drop. Reading up, and appears that would be an indication of the FWs dropping traffic due to asynchronous routing. However, I did notice these two stats get hit constantly (only traffic going through these guys is protocol traffic (BGP) and pings:

flow_rcv_dot1q_tag_err
flow_no_interface

 

Been playing aroudnd with subinterfaces and what not, and still no go. Everything works as is, but when I introduce asynchronous routing, routes to an opposing side break. 

Are you certain that both directions of the flow cross the A/A firewall pair?

 

Based on your description, there should be no asymmetrical flow drops on the firewall.  Unless there is a path that can bypass BOTH firewalls in the commuications flow in question.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
  • 4334 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!