HA for interface pair as a DHCP client

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA for interface pair as a DHCP client

L1 Bithead

I have a pair of VM-50 as an HA pair. When the primary firewall fails the IP is moved to the new active node but the MAC address changes and the ISP cable modem most likely does not accept this. The only resolution is to release and renew the DHCP address which is obvisouly not a workable solution for an automatic failover.

 

Any ideas?

1 accepted solution

Accepted Solutions

One option would be to disable "Use Hypervisor Assigned MAC Address".

After that try if you can manually assign same HA generated mac address that floats then between firewalls to both virtual machine nic cards in VMware or other option is to turn WAN virtual switch into promiscuos mode.

 

Issue with promiscuos mode is that switch starts acting as hub and every vnic connected to that virtual switch will receive every single packet.

Would not be an problem if you only have ISP and 2 Palo WAN interfaces there.

 

 

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/about-the-vm-series-...

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

View solution in original post

3 REPLIES 3

Cyber Elite
Cyber Elite

When you add firewalls to HA then mac address is generated based on group id in HA settings.

So both IP and mac are moved over between firewalls in HA.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thanks for the response. The Mac Address is not migrating over when there is a failover. See below. This is in an ESXi environment.

 

 

 

Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: 10000/full/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:0c:29:34:b8:61 <<<<<<<<< Before failover
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32

admin@PA1(active)> request high-availability state suspend

Successfully changed HA state to suspended
admin@PA1(suspended)>

admin@PA1(suspended)> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:0c:29:34:b8:61
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32 <<<<<<<<< After failover
Interface management profile: PING
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: no
Service configured:
Zone: Untrust, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
admin@PA1(suspended)> request high-availability state functional

Successfully changed HA state to functional
admin@PA1(initial)>

 

Here is the other vm which become ative with its own vmware MAC

 

admin@PA-VM(active)> show interface ethernet1/1

--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Link status:
Runtime link speed/duplex/state: unknown/unknown/down
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address 00:50:56:92:19:11 <<<<<<< OTHER SIDE MAC
Operation mode: layer3
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ethernet1/1, ID: 16
Operation mode: layer3
Virtual router DEFVRF
Interface MTU 1500
Interface IP address (dynamic): XX.YY.175.22/32  <<<<<<< OTHER side Has the same IP
Interface management profile: PING
ping: yes telnet: no ssh: no http: no https: no
snmp: no response-pages: no userid-service: no
Service configured:
Zone: Untrust, virtual system: vsys1
Adjust TCP MSS: no
Policing: no
admin@PA-VM(active)>

 

One option would be to disable "Use Hypervisor Assigned MAC Address".

After that try if you can manually assign same HA generated mac address that floats then between firewalls to both virtual machine nic cards in VMware or other option is to turn WAN virtual switch into promiscuos mode.

 

Issue with promiscuos mode is that switch starts acting as hub and every vnic connected to that virtual switch will receive every single packet.

Would not be an problem if you only have ISP and 2 Palo WAN interfaces there.

 

 

https://www.paloaltonetworks.com/documentation/80/virtualization/virtualization/about-the-vm-series-...

 

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 1 accepted solution
  • 3735 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!