This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

HA path monitoring in virtual wire

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

HA path monitoring in virtual wire

gmparis
Not applicable

‎04-07-2013 04:05 PM

I've seen a couple answers here about using Path Monitoring in Virtual Wire. They say that one must use an IP address within the Virtual Wire subnet as the source address. OK, I get that. What I don't get is how to configure such an address. I don't see a way to add an address to a vwire interface. I've tried creating a loopback with no good result. Also gave vlan a shot, but that didn't look promising either. Thanks for any help.

Labels:
0 Likes Likes
22 REPLIES 22

pkonitz
L2 Linker
In response to Sly_Cooper

‎04-16-2013 11:38 PM

As I described in this post

https://live.paloaltonetworks.com/thread/7403

I've got this release installed, got subinterfaces configured and assigned them to different zones but traffic doesn't flow if the main intarface isn't assigned to zone as well. When it is, subinterfaces inherits this assignment form main interface and even though they're in different one I see in logs that traffic comes from the main zone. So I cant make a different policies per subinterfaces.

Thanks for sharing your experience Smiley Happy

I think we should end this topic cause gmparis will be angry for all the notification he receives

regards
Przemek

0 Likes Likes

Sly_Cooper
L4 Transporter
In response to pkonitz

‎04-17-2013 01:24 AM

I had asked permission from to use his thread so I hope he wont mind Smiley Happy. Anyways I have submitted the change request to get the new config tested. If get approvals then I will get the config tested over the weekend. I will let you know the outcome.

0 Likes Likes

Sly_Cooper
L4 Transporter
In response to Sly_Cooper

‎04-22-2013 02:42 AM

  - FYI

I successfully tested the new configuration and managed to configure path monitoring using additional link (L3) on PAN.

- Connected additional interface from PAN to the internal switch


- Configured L3 interface as part of the internal switch


- Configured new zone and virtual router 


- Configured new L3 interface as part of new zone and virtual router. This is mainly to keep the ha monitor link separate. I called it ha-monitor


- Configured Juniper firewalls with separate manage-ip for the untrust interface


- Configure Path Monitoring -> Virtual Router and monitored destination as the untrust manage-ip of the firewall


- Each PAN was configured to poll different manage-ip  of the connected Juniper firewalls


- Removed "Preempt" from HA (Thank you very much for the suggestionSmiley Happy)

Failover and failback worked fine as expected and was tested by shutting down the firewall untrust port connected to the external switch. The separate manage-ip on Juniper firewalls and removing preempt made it workSmiley Happy. Now I have link monitoring and path monitoring configured for our environment.

0 Likes Likes

NGS_SOC
L3 Networker
In response to pkonitz

‎04-22-2013 02:51 AM

Hi, I've an installation  similar to your scheme and I uses PA-3020  under  ASAs in A/A with 4 vwire. Active Active configuration and full state sync allow you to forget witch ASA is active passing traffic.

0 Likes Likes

pkonitz
L2 Linker

‎04-22-2013 03:08 AM

hi,

thx for update

nice to hear it worked.

I decided to go to L2 deployment cause in Wwire mode passive unit doesn't pass traffic at all so in my case (cisco ASA) hello packets  did not flow so failover on ASA was a bit problematic. However L2 with vlan retagging works as charm, what is more, when ASAs switchover it does't trigger PAN to failover so I see additional benefit in it Smiley Happy

As NGS said active/active probably would solve all our issues but this is thing I want to avaid cause guys from PaloAlto suggested not going into A/A Smiley Happy

regards

0 Likes Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Copyright 2007 - 2023 - Palo Alto Networks