Session behaviour during vrouter changes
cancel
Showing results for 
Search instead for 
Did you mean: 

Session behaviour during vrouter changes

L2 Linker

Hi everyone,

We've got a number of virtual-routers in our PA-5050s and we're looking to do some consolidation to simplify the configuration.  Basically, we're looking to reduce the number of vrouters by moving interfaces that are currently in different vrouters into one common one.  We are not going to change the zones associated with the interfaces.  I'm wondering what happens to existing/established sessions on the firewall when we move the interfaces from one vrouter to another.

My question is this: if we have an existing session through the firewall that was established based on a particular route pattern that determined the source and destination zones, then we change the route pattern but the src and dst zones remain the same, do the existing sessions continue or do they become invalid / get terminated?

Long explanation:

We have several server subnets and one core (physical) router in our network.  We put the server subnets behind our PA-5050s on their own dedicated interface a few years ago, but we wanted to give them each a dedicated 1Gb link to our core router.  So we created a vrouter for each server subnet and used a /30 routing subnet on a different dedicated interace between the core router and our PA-5050s to force each server subnet's traffic over a different link.  So for our 5 server subnets, we're using 10 interfaces (5 x core<-->PA, 5 x PA<-->servers).  While each server interfaces has its own zone, all of the /30 routing interfaces are in the same zone.

We've now established 10Gb connectivity between the core router and the PA-5050s, so we do not need the separate interfaces.  This 10Gb link is in the same zone as the /30 routing interfaces.  To simplify our configuration, we'd like to start collapsing the separate server vrouters into one common one that uses the 10Gb link as its route to the core router.  This will not change the zones, only the routing.

We need to know if we need to schedule an server outage when we change the routing.  Our hope is that since the sessions are based on the zones (which will be unchanged) and the firewall is able to do dynamic routing, the sessions would stay alive. However, the existing sessions that were previously routed across the 1Gb link will now be using the 10Gb link in a different vrouter, so maybe the firewall won't like that.

1 REPLY 1

L7 Applicator

My experience with vrouter changes is that they are disruptive.  They appear to delete and then recreate the affected vrouters.

I would expect all sessions to be lost and need to re-establish after this commit takes place and would plan for a session impact change window.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!