We got a Palo Alto 5050 active/passive HA configuration with two vsys with a lot of inter-vsys traffic.
Our DP1 is running at 100% during working hours.
I am convinced that the problem is that inter-vsys traffic can't be offloaded to hardware.
If i configure physical interface 1 and 2 to vsys1 (L3) and physical interface 3 and 4 to vsys 2 (L3), connect them with a physical cable, aggregate these two links (port-channel) and route inter-vsys traffic over that physical link. Would that be a good practice? Now traffic can be offloaded to HW.
Thank u for your feedback!
Hello @MarcelBolleboom ,
If your environment only have 2 vsys and it won't get any bigger. That is one way to resolve the inter-vsys performance issue.
Do you have a diagram that can help us understand the problem?
Have you able to identify the traffic pattern? Is there a specific zone/subnet in one vsys that all the systems from the other vsys need to access?
Thank u for your reply.
All internet traffic from the LAN uses the inter-vsys connection (red) for internet. Best way to tackle this would be to consolidate the two vsys to one but that would be a large operation.
Current: Direct inter vsys routing between two vsys on same physical device.
New: Using 4 interfaces (2 per vsys) and aggregate them to form a 2 Gbit link (UTP). SFP 10 Gbit interfaces are all in use. Traffic won't exceed 2 Gbit. Make it a L3 connection.
So, direct cables from one interface to another between two vsys on same physical device.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!