ha_nat_policy_mismatch counter

Reply
Highlighted
L0 Member

ha_nat_policy_mismatch counter

Hi Everyone,

 

What exactly does the below counter indicate and what would trigger it? 

ha_nat_policy_mismatch

ha_nat_policy_mismatch.png

I have added L3 interfaces to an existing A/A HA cluster that uses vwire interfaces in an asymmetrical traffic environment. The traffic on those vwire interfaces are being handled correctly by the A/A. The new L3 interfaces are setup in a separate vsys from the vwire ones.

 

On these new L3 interfaces I have a destination NAT setup using an ARP based Virtual IP as recommended by the PA documentation. My 3way handshake when trying to access the resource via the NAT is not completing. Packet captures show that asymmetry is happening here but in my mind it should not be an issue as it seems to work fine for the vwires. The captures shows that the SYN from the client is passing through Device 1 without getting dropped. The return SYN/ACK from the server is hitting Device 0 and gets dropped. I have tried to add a zone protection profile to prevent the drop but it is not helping. 

 

If I look at the counters while trying to access my NATted resource, the only drop counter that is incrementing is ha_nat_policy_mismatch. What exactly is this counter telling me? I cant find any documentation on what this means. I'm hoping that understanding this counter will point me to where my fault is.

 

If I change the ARP based VIP to a floating IP type one bound to device 0 then the problem goes away since the flow is no longer asymmetrical. I am however worried that the problem could return if a link failure causes the floating IP to move the D1 which would again cause an asymmetrical flow.

 

I used the following documentation to setup the VIP and NAT. The A/A HA part was already configured on this cluster by a previous engineer. Some of his settings look slightly different to me but unfortunately I'm not allowed to just mess with those settings as this could affect the existing traffic on the other vwires.

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/high-availability/set-up-activeactive-ha/d...

Highlighted
Community Team Member

Re: ha_nat_policy_mismatch counter

I looked, and normally  an increase of 'ha_nat_policy_mismatch' counter indicates that NAT sessions not synchronized to passive device.

Stay Secure,
Joe
End of line
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!