IP confilicting error

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

IP confilicting error

L1 Bithead
Hi We have configured HA pair on our two PA-VM200 Palo alto firewall. Now IP address of my interfaces eth1/1 (inside 10.1.1.1) and eth1/2 ( out side 10.1.1.2) are showing same as primary 10.1.1.1 on both firewalls and I am getting IP confilicting error. Any idea ? Regards,
4 REPLIES 4

L5 Sessionator
 

Cyber Elite
Cyber Elite

Are you running as active-passive or active-active

Cyber Elite
Cyber Elite

Hi Mohammed

 

This could be normal behavior until you complete the configuration

 

In an ActivePassive configuration (the only option available to VM series) the IP addresses used on the interfaces are shared between the two HA peers, so upon config sync the ip's should be made identical on all interfaces.

They calculate a virtual MAC address and depending on their stance (active or passive) will respond to arp requests and process traffic etc

 

to coordinate these actions, they need to be aware of eachother and how 'helathy' the other member is. if the HA configuration has not been completed, one member may not be able to see the other member yet. if the HA configuration was completed, but this issue still exists, they may not be able to 'see' eachother and coordinate HA operations

in the case where they are not able to communicate, both sides may believe the other side is down and will assume an active role  (we call this a split brain)

 

to resolve this you should try to figure out if the config has been committed properly and the config is identical on both sides:

  • is the group ID identical
  • is tha HA1 ip subnet configured properly
  • is the peer ha1 IP correct on both sides
  • are both sides running the same PAN-OS

on the dashboard you can open the HighAvailability widget that may help you see more clearly what could be the problem

 

2015-10-23_16-46-42.png

 

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Thanks, The issue were resolved by enabling/disabling HA on Primary and secondary. The firewall is V-200 and both HA1 and HA2 ( session sync) are configured, I am not sure this will do stateful failover or not. According to PA documentation, VM series does not support stateful failover, but when you configure HA , it will not let you complete until you configure HA2 ( session Sync ) as well. Regards,
  • 2457 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!