This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
HA path monitoring in virtual wire
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- General Topics
- HA path monitoring in virtual wire
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
HA path monitoring in virtual wire
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-07-2013 04:05 PM
I've seen a couple answers here about using Path Monitoring in Virtual Wire. They say that one must use an IP address within the Virtual Wire subnet as the source address. OK, I get that. What I don't get is how to configure such an address. I don't see a way to add an address to a vwire interface. I've tried creating a loopback with no good result. Also gave vlan a shot, but that didn't look promising either. Thanks for any help.
Labels:
- Labels:
-
Configuration
-
Networking
-
Set Up
22 REPLIES 22
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-22-2013 03:22 AM
They are always a little bit conservative with A/A design but I have a couple of big installation with A7A without specific issues. Also PA-3020 with PANOS 5.04 rulez in traffic response and commit time.
Regards
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-22-2013 11:48 AM
I'm wondering why you used the manage-ip for the path monitoring instead of the NSRP IP. I have similar configurations here, both NSRP and VRRP, and my concern is that the shared address -- which is what the traffic cares about -- can be unreachable, even though the manage/local IP is reachable. This comes about because we generally have two layer-2 devices involved. This may not be your configuration, but still, I wonder if you are accomplishing what you want with this configuration.
Of course, I'm chiming in on this only because I'm getting all the updates to this thread. 🙂
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
04-23-2013 09:01 AM
- Yes you may not see the issue with A/A firewall since both the firewalls will be passing traffic at a time. With Active/Passive you have to make sure that all connected devices in the path are passing traffic. Personally I am reluctant in configuring A/A model and I have never done that. A/A has its configuration complications. A careful configuration is needed. Since I was working on established A/P configuration and changing to A/A would need complete re-engineering.
- Technically I can use the NSRP ip however the issue with NSRP ip is that it becomes reachable for the failed firewall once the second firewall becomes Active. I have similar scenario as posted by where the ASA or Juniper firewall is egress/default route. The failed firewall can reach the NSRP ip via internal switch -> second PAN -> Juniper NSRP. Though this problem can be avoided by disabling Preemptive option as suggested by . I still wanted to make sure the PAN polls the correct interface for failure detection. Once the interface is UP, manage-ip too is UP. The manage-ip is available irrespective of the state of the firewall. Since Juniper provides the feature of configuring manage ip for interface, I decided to use it. PAN is already taking care of connected devices failure detection using link monitoring (Juniper firewall trust and internal switch). I wanted to something to monitor untrust side of Juniper firewall as that is the ultimate point for traffic egress/ingress.
Related Content
- Which VM-Series deployment model within vSphere allows for firewall insertion into an existing network and will also require additional VLANs for each in VM-Series in the Public Cloud
- PSE software firewall associate in General Topics
- Palo Alto in Virtual wire vs TAP mode. in Next-Generation Firewall Discussions
- Palo Alto Dual ISP, ECMP enables the external interfaces and enables IPSEC VPN tunnels in General Topics
- HA - Path-monitoring - VLAN-TAG-Vwire environment in General Topics
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks