Same Mac address shared by two paloalto firewalls

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Same Mac address shared by two paloalto firewalls

Not applicable

Hi,

I have seen strange behaviour between two palo alto firewalls.

I have pair of PA-3020 and Pair of PA-500 in Active/standby scenario. They serve two different networks but to provide interconnect between two networks they (Eth 1/3) are connected to Cisco Nexus switch via FEX (VLAN 129). Has anyone seen a case where two different models of the firewall connected via same vlan share same mac address?

admin@CFWL02(active)> show arp all

interface         ip address      hw address        port         status   ttl 

--------------------------------------------------------------------------------

ethernet1/3.129   10.224.63.33    00:1b:17:00:01:12 ethernet1/3    c      1487

admin@MFWL02(active)> show arp all

interface         ip address      hw address        port         status   ttl 

--------------------------------------------------------------------------------

ethernet1/3.129   10.224.63.36    00:1b:17:00:01:12 ethernet1/3    c      1627

L2S01# sh mac address-table vl 129

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

+ 129      001b.1700.0112    dynamic   0          F    F  Po1000

L2S01# sh mac address-table vl 129

Legend:

        * - primary entry, G - Gateway MAC, (R) - Routed MAC, O - Overlay MAC

        age - seconds since last seen,+ - primary entry using vPC Peer-Link

   VLAN     MAC Address      Type      age     Secure NTFY   Ports/SWID.SSID.LID

---------+-----------------+--------+---------+------+----+------------------

* 129      001b.1700.0112    dynamic   10         F    F  Eth122/1/47

I will appreciate your help if you advise me.

Thanks

RT

1 accepted solution

Accepted Solutions

L7 Applicator

In this case, you have set Group-ID =1 for both HA pairs.

00:1b:17:00:01:12    ethernet1/3 

View solution in original post

4 REPLIES 4

L7 Applicator

Hello good morning,

As you mentioned before, both pairs are part of high-availability. Could you please confirm if HA "group ID" also same in both HA environments. If "group-ID" is same for both pairs, there there is s possibility to have an identical virtual MAC.

How to Calculate a Virtual MAC Address

It is recommended to have different "group-ID" inside a same network for different HA pair, in order to avoid packet loss.

Hope this helps. Smiley Happy

Thanks

L7 Applicator

In this case, you have set Group-ID =1 for both HA pairs.

00:1b:17:00:01:12    ethernet1/3 

Not applicable

Spot on !!!! Thanks for your help.

Fyi the link has moved, here is the one that works now in 2024:

How to Calculate a Virtual MAC Address - Knowledge Base - Palo Alto Networks

  • 1 accepted solution
  • 10436 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!