Newbie question on polices

Alex_Samad · ‎05-08-2017

Hi

Got to test pa-3060's got them setup in HA active active mode.

I have a LACP trunk setup with 2 vlans of it.

vlan 213 - zone trusted

vlan 215 - zone dev

i have ospf and ip addresses assigned and working on the 213 side of things. so I can ping it from the rest of my network.

vlan213 gets DGW from OSPF.

I have .2 and a .3 address assigned to pa1 and pa2 on vlan215 interface and a virtual - failover ip address setup on vlan215

I have a policy that allow ping from a list of ip addresses - basically my internal network addresses to any where and from / to any zone.

and I have the 2 default policies.

from boxes that I can ping vlan213. I can't ping to any of the vlan215 addresses .1 or .2 or .3

if I change the zone of vlan215 to the same zone as 213 then it works ???

What have I done wrong with my policy

reaper · ‎05-10-2017

yes (make sure HA3 is either directly connected or the transport medium supports jumbo frames)

if the syn packet is passed over PA1 and the ack packet is received by PA2, PA2 will send the ack to PA1 for inspection, PA1 will build the session and perform any other actions (nat, content inspection, AppID, ....) and then pass the packet back to PA2 which will put it on the network (asymmetry is maintained)

session owner and session setup device depend on your active-active configuration: (it may _always_ be PA1, or use a modulo, or be the device that sees the first packet)

if one member dies, all session responsabilities will go to the remaining member. a state table containing _all_ sessions (pa1 +pa2) is constantly maintained by both, only the 'processing' responsabilities are shifted depending on how you configure the above section

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

reaper · ‎05-11-2017

VR sync is to sync the runtime state between the VRs.

Depending on your environment it may be useful to sync (if both peers need the same next hops etc.), or if your members both participate in ospf/bgp as unique members, you'll not want to sync

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

Alex_Samad · ‎05-09-2017

Hi

I have left it to settle for a while now and the .2 and .3 are pingable !!!

but .1 with is the active / active virtual ip it keep failing ... its setup as a arp load balance,

BPry · ‎05-09-2017

@Alex_Samad,

Just out of curiosity was it a recommended design to go with active/active on your particular setup?

reaper · ‎05-09-2017

Hi and welcome to Palo Alto Networks!

now go ahead and set your cluster to active-passive 😉

The active-active configuration is really only useful if you have a network with asymetric routing, in most other scenario's it will only increase complexity and have little to no advantages (there is no performance gain, more likely a slight decrease due to HA3)

I'd recommend you start off with an active-passive HA so you have fewer distractions and a far less complex configuration to worry about while you test all the other features, especially since, as you mentioned, you're new to the firewall: configuring Active-Active is about as tough as it gets

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Alex_Samad · ‎05-09-2017

Hi

So I have 2 datacentres and I run a stretch vlan setup, I will have 1 PA in one DC and another in the other DC.

So performance issues - please explain, I am looking at using the dual arp setup for VIP.

I have all my current services - WAN / Vendors etc duplicated at each site... and I do get asym routing 🙂

reaper · ‎05-10-2017

a cluster, for performance considerations, should be considered as a single chassis (since, if you oversubscribe and there is a failover, your remaining member will be bombarded and could buckle under the pressure)

in an A-P setup you can't oversubscribe as a single system is active at a time, in an A-A, you could as each member is taking on traffic independently, so you need to minitor the situation more closely

in an environment that has asymmetric routing, the HA3 link is going to physically transport 'stray' packets to the session owner (depending on your configuration this could be either firewall). This will ensure the cluster is aware of all packets and is capable of processing them as if it were a single system.

but , depending on the amount of stray packets, this will also come at an overhead (the system not only keep track of all the traffic flowing through it, but also which sessions belong to the other member and which packets to transport to the peer for processing)

its an awesome solution for asymmetry, but makes for a complex configuration (hence it not being recommended for a 'normal' network)

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Alex_Samad · ‎05-10-2017

Hi

Don't think I will have performance issue. But I will need to read more about the HA3 link.

So from what I understand you are saying is if I have a tcp stream and the first packet hits PA-1 then the rest come first to PA-2.

PA-2 will send those packets to PA-1 via HA3 so that the firewall can process it there.

I presume though if PA-1 fail the session info will move to PA2

reaper · ‎05-10-2017

yes (make sure HA3 is either directly connected or the transport medium supports jumbo frames)

if the syn packet is passed over PA1 and the ack packet is received by PA2, PA2 will send the ack to PA1 for inspection, PA1 will build the session and perform any other actions (nat, content inspection, AppID, ....) and then pass the packet back to PA2 which will put it on the network (asymmetry is maintained)

session owner and session setup device depend on your active-active configuration: (it may _always_ be PA1, or use a modulo, or be the device that sees the first packet)

if one member dies, all session responsabilities will go to the remaining member. a state table containing _all_ sessions (pa1 +pa2) is constantly maintained by both, only the 'processing' responsabilities are shifted depending on how you configure the above section

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Alex_Samad · ‎05-10-2017

ta, got first packet.

why do you have VR sync. I am using opsf and I read that I shouldn't use VR sync.

reaper · ‎05-11-2017

VR sync is to sync the runtime state between the VRs.

Depending on your environment it may be useful to sync (if both peers need the same next hops etc.), or if your members both participate in ospf/bgp as unique members, you'll not want to sync

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Brandon_Wertz · ‎05-15-2017

@Alex_Samad in my implementation I'm running OTV across, soon be 3 datacenters, with a 5060 HA pair in Active-Passive.

The only benefit to running A/A would be a decrease in latency. In my environment the RTT would only be 7ms (of allowing traffic to go direct out a local FW with an ISP) so not really worth having the headache.

Is your desire to simply save on the increased routing latency?

Alex_Samad · ‎05-15-2017

Hi

Thanks for the input, from every one.

Currently I am in a testing/POC phase. Our standard is to make services/INF available at both DC at the same time. My arista switches can do this, but their L3 FW is really non existant.

So PA have said they can do Active / Active this is what I am testing and hopefully what I am going to implement.

If it hard thats okay, work out the issues and document it

If its complicated thats okay, work out the issues and document it

If it doesn't work, well then i have an issue, this is a feate of the PA's if it doesn't work, I want to know why have i hit a corner case. How does support handle this. I have opened a support case. The sup engineer said it should work, infact when we pushed it over to ip hash it all started to work, push it back to modulo and clear the arp cache on the VM and it stop working again ...

My guess is when i finalise my testing and design, I will have active/active and a mixture of pinned and arp load sharing VIPS.

pulukas · ‎05-27-2017

For dual active DC you will need Active/Active as you note. I worked on a similar deploy several years ago.

When using VIP and members that are in the separate DC you will want to manage the traffic patterns and failover scenarios carefully.

Note that in A/A the session and inspection will occur on the node where ingress first occurs. So if pathing changes during failover you get a double traffic of the packets o n the HA3 link to go to the original node for processing. So be sure to plan for the capacity of this link during failure scenarios and upgrade to useing 10G port if needed.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

Alex_Samad · ‎05-27-2017

Hi

solved my problem. Seems like even though the ip is shared between active active nodes. the actual ip isn't for routing. I believe what tech support advised was they don't want both nodes replying to pings.

This caused a problem with OSPF, it was registering with one node and not the other and the other node would add the route but by a different interface. once it was registered on a different interface it stopped repling to arp's !

So now I have a OSPF exclude for all VIP addresses, that was interesting... Makes me thing should the VIP addresses be /32 or /24 (the same as the network, I am used to using /32 aka vrrp... )

I think i have enough capacity between DC. and I will be using the 10G (LACP connects).

I will probably go back to failover once I have completed my test as currently teh DGW for each network is not really needed between DC's.

A

Newbie question on polices