Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-01-2021 04:22 AM - edited 10-01-2021 04:29 AM
Hello everyone, I am newbies for PA-850
As we placed them into two difference Geo location (e.g DC1 and DC2) and we running A/A, cisco Nexus as core
we have separated all
HA1 / mgmt / HA2 / HA2 backup
in to DIFFERENCE SUBNET and broadcast domain, and we using mgmt as HA1 backup
HA3 configured as FLAT vlan across both sites with no choice
and the problem is we found HA1 is down, we tired
ASSUMED my SUBNET for HA1 configuration issue ---- I do have a good ping from DC1 and DC2 gateway IP
ASSUMED my SUBNET for HA1 configuration issue ---- shared the same Subnet we created with HA2 - NOT WORK
ASSUMED my HA1 interface goes wrong --- we tested we can ping from the GATEWAY IP address - but able to ping form other not others interfaces in the same router
ASSUMED the HA1 and HA1 peer configuration -- I have already swap mgmt as HA Peer and Dedicated HA1 for BACK UP Peer - NOT WORK
ASSUMED my current set of Paloalto goes wrong --- I have open another pair of PA820 - configured and found the same problem - NOT WORK
ASSUMED the HA1 running something very special ethernet packet the WAN link do not like it, ---- I have setup both HA1 in SAME SUBNET (same broad cast domain) between both sites, --- IT WORKS but this is not ideal , since we do not want to have much FLAT vlan across 2 locations
ASSUMED HA1 cannot running on a layer 3 domain --- HOWEVER, the same H/W S/W topology deployed in other office , and only difference is the core is Catalyst but not nexus (of course the WAN link provider are difference)
also for our WAN link providers claimed they are using DWDM and no any MAC blocking in between
We have ticketed to Palo for 2 mths but no any actual test we have,
any expert in this room can help to enlighten me what I can move on next?
10-06-2021 08:06 AM
Hello guys,
I will mark this one as solution although this is not perfect and official answer paloalto...
I have tried to make use one of the FREE COPPER DATA PLANE port as HA, and setup the HA1 on that (instead of using dedicated HA1)
and by reusing all the SAME CABLE / NETWORK PORT / VLAN / SUBNET / ROUTING INSTANCE
and the HA1 magically UP,
I cannot concluded this is s/w (since I have another same S/W 10.0.6 and with same model PA-850) running layer 3 over the dedicated HA1 and no issue,
The only thing I can blame may be the on board H/W bug vs network card driver? looking forward of paloalto will be address this issue in upcoming software version
10-02-2021 09:29 AM
So, I may not be much help, because we would not recommend to separate the 2 FWs into 2 DCs. I understand why you did it, but it is the interconnecting devices and NOT the firewall that is the issue. You confirmed it, when you put both HA1 into the same network (this is exactly how it supposed to be configured.. 2 IPs with a /30 mask, no default gateway.
Respectfully, there isn't a configuration on the FW that will the way these 2 FWs need to talk. You may need to consider your design again.
10-02-2021 10:27 PM
As @S.Cantwell mentioned you aren't really running a recommended configuration. PAN doesn't recommend that you run HA interfaces through routed connections, and if your set on locating these in different DCs I'd really recommend you simply setup dedicated VLANs and pass it through directly instead of attempting to route the connection. There's too many variables in attempting to route these connections for us, or TAC, to really be much help with this.
10-05-2021 02:07 AM
thank Steve
not recommended and not work is 2 difference level of consideration , in the real world there has a factor call budget 🙂 , can you showing me if any black and white that HA1 cannot be route, if we need to have a layer 2 across 2 sites, that's 12 switches need to create additional vlan.
10-05-2021 02:09 AM
I think the problem is we do not want to setup layer 2 everywhere as a networker , we do not want a huge broadcast domain if we can avoid,
so I just want to know if this is CAN or CANNOT.
I see that CANNOT - so is that CANNOT work as plan or just a bug no one aware..
10-05-2021 07:39 AM
@vitol-pkf I am on your side. It yes... the product WILL work across a routed network, however it is not recommended. 😛
We in the community, are providing multi years worth of combined experience and guidance; collectively, there is a large amount knowledge on the PANW FW.
The issue does not appear to originate from the PANW FWs, but the interconnection or networking that is creating the issue.
As I mentioned.. when all traffic was in the same network, it work fine, so our packets were transmitted/received appropriately.
When there are other devices inline, then the change in the network is just that... changes on network hardware, outside of the scope.
You asked for suggestions and we have provided them to you.
You are more than welcome to contact the TAC via web ticket for official assistance.
Thank you for contacting the Live Community. We truly wish that you are able to resolve this, and please let us know what you find, so that we can better community support the PANW line of solutions.
10-05-2021 08:27 AM
10-06-2021 08:06 AM
Hello guys,
I will mark this one as solution although this is not perfect and official answer paloalto...
I have tried to make use one of the FREE COPPER DATA PLANE port as HA, and setup the HA1 on that (instead of using dedicated HA1)
and by reusing all the SAME CABLE / NETWORK PORT / VLAN / SUBNET / ROUTING INSTANCE
and the HA1 magically UP,
I cannot concluded this is s/w (since I have another same S/W 10.0.6 and with same model PA-850) running layer 3 over the dedicated HA1 and no issue,
The only thing I can blame may be the on board H/W bug vs network card driver? looking forward of paloalto will be address this issue in upcoming software version
03-08-2022 08:34 AM
Hi,
PAN doesn't recommend that you run HA interfaces through routed connections ?
Then why do they offer the "Default Gateway" setting?
By definition, that means a routed network, and so this thread is containing some very unhelpful answers to the OP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
