09-13-2013 09:32 AM
Hi,
I have seen strange behaviour between two palo alto firewalls.
I have pair of PA-3020 and Pair of PA-500 in Active/standby scenario. They serve two different networks but to provide interconnect between two networks they (Eth 1/3) are connected to Cisco Nexus switch via FEX (VLAN 129). Has anyone seen a case where two different models of the firewall connected via same vlan share same mac address?
admin@CFWL02(active)> show arp all
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/3.129 10.224.63.33 00:1b:17:00:01:12 ethernet1/3 c 1487
admin@MFWL02(active)> show arp all
interface ip address hw address port status ttl
--------------------------------------------------------------------------------
ethernet1/3.129 10.224.63.36 00:1b:17:00:01:12 ethernet1/3 c 1627
L2S01# sh mac address-table vl 129
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
+ 129 001b.1700.0112 dynamic 0 F F Po1000
L2S01# sh mac address-table vl 129
Legend:
* - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC
age - seconds since last seen,+ - primary entry using vPC Peer-Link
VLAN MAC Address Type age Secure NTFY Ports/SWID.SSID.LID
---------+-----------------+--------+---------+------+----+------------------
* 129 001b.1700.0112 dynamic 10 F F Eth122/1/47
I will appreciate your help if you advise me.
Thanks
RT
09-13-2013 10:09 AM
In this case, you have set Group-ID =1 for both HA pairs.
00:1b:17:00:01:12 ethernet1/3
09-13-2013 09:46 AM
Hello good morning,
As you mentioned before, both pairs are part of high-availability. Could you please confirm if HA "group ID" also same in both HA environments. If "group-ID" is same for both pairs, there there is s possibility to have an identical virtual MAC.
How to Calculate a Virtual MAC Address
It is recommended to have different "group-ID" inside a same network for different HA pair, in order to avoid packet loss.
Hope this helps. 
Thanks
09-13-2013 10:09 AM
In this case, you have set Group-ID =1 for both HA pairs.
00:1b:17:00:01:12 ethernet1/3
09-17-2013 06:29 AM
Spot on !!!! Thanks for your help.
05-31-2024 06:07 AM
Fyi the link has moved, here is the one that works now in 2024:
How to Calculate a Virtual MAC Address - Knowledge Base - Palo Alto Networks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
