- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
06-21-2024 03:43 AM
I've been trying to track this issue down for a month or so now and haven't had a lot of luck with any of the permutations in my vmware environment.
I am running two 11.0.4-h2 PA-VMs in Active/Active mode. I'm using floating gateways and all is running pretty cleanly. All my HA interfaces are in a single VLAN and connected to a switch that is forwarding jumbo frames without issue. What is throwing me is some of the global errors I'm still seeing in such a high volume. I was hoping that someone could help me shed some light on these. Namely that ha_aa_pkfwd_err_decap one seems pretty elusive when it comes to reading forums and the manuals. I have a working theory that MAC-in-MAC is getting compromised by my vmware configuration (either mac rewrites or some other vm wizardry). Packet captures show the mac of the adjacent respective firewalls so that looks good on the surface and when I decode the 0x7261 packets I am showing the macs of some things. I'm digging in on that a bit now as I write this but I haven't made the link yet. In any case, if anyone has any thoughts on how my HA interfaces in vmware should be configured to allow my PA-VMs to decrypt the MinM traffic, I'd be forever grateful.
Campbell
ha_aa_pktfwd_err_decap 642110 6497 drop ha aa Active/Active: packet-forwarding decap error
flow_ingress_ifp_lookup_invalid_mode 84584 855 drop flow parse Packets dropped: invalid port mode
flow_ingress_ifp_lookup_ifmap_fail 936356 9475 drop flow parse Packets dropped: unable to lookup main interface
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!