Hi Everyone,
What exactly does the below counter indicate and what would trigger it?
ha_nat_policy_mismatch
I have added L3 interfaces to an existing A/A HA cluster that uses vwire interfaces in an asymmetrical traffic environment. The traffic on those vwire interfaces are being handled correctly by the A/A. The new L3 interfaces are setup in a separate vsys from the vwire ones.
On these new L3 interfaces I have a destination NAT setup using an ARP based Virtual IP as recommended by the PA documentation. My 3way handshake when trying to access the resource via the NAT is not completing. Packet captures show that asymmetry is happening here but in my mind it should not be an issue as it seems to work fine for the vwires. The captures shows that the SYN from the client is passing through Device 1 without getting dropped. The return SYN/ACK from the server is hitting Device 0 and gets dropped. I have tried to add a zone protection profile to prevent the drop but it is not helping.
If I look at the counters while trying to access my NATted resource, the only drop counter that is incrementing is ha_nat_policy_mismatch. What exactly is this counter telling me? I cant find any documentation on what this means. I'm hoping that understanding this counter will point me to where my fault is.
If I change the ARP based VIP to a floating IP type one bound to device 0 then the problem goes away since the flow is no longer asymmetrical. I am however worried that the problem could return if a link failure causes the floating IP to move the D1 which would again cause an asymmetrical flow.
I used the following documentation to setup the VIP and NAT. The A/A HA part was already configured on this cluster by a previous engineer. Some of his settings look slightly different to me but unfortunately I'm not allowed to just mess with those settings as this could affect the existing traffic on the other vwires.
