WAN Interface Not Registering MAC Address With Upstream L2 Switch

Reply
L1 Bithead

WAN Interface Not Registering MAC Address With Upstream L2 Switch

Hello folks, need some help here.  After upgrading from 6.0.8 --> 6.1.0 --> 6.1.2, the WAN interface of the upgraded device, part of an HA-Pair in active-passive mode, does not register its MAC address with an upstream directly connected L2 switch.  If I fail back over to the non-upgraded device, passing of traffic resumes as normal and the WAN interface is registered in the mac-address table of the switch.  Fail back over to the upgraded device and the MAC address drops from the mac-address table.  Roll back the upgraded device to the original software version (6.0.8) and everything works again in the HA pair.  Has anyone experienced this and what was done to overcome this issue.  Appreciate any input.  -Norm

L5 Sessionator

What IP address have you configured on the interface? is it /32?

L1 Bithead

Hello Pankaj.  No, the CIDR prefix is /27.  Thanks.  -Norm

L5 Sessionator

L1 Bithead

Thank you Pankaj.  Our organization is not using any NAT policies as we are not using RFC1918 addresses.  Everything is public.  This issue has truly puzzled me.  At this point, I am wondering if it could be a PANOS compatibility issue with our PA4050's?  -Norm

L2 Linker

Can you confirm that Gratuitous ARP with a new MAC is sent after the HA failover?

L7 Applicator

is there a specific reason for 6.1.2? this release is already about  year old and may contain a bug that's causing this. I'd recommend going to 6.1.9 which is a recommended release or even 6.1.10 as this a very mature release, unlikely to cause many problems. 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
L1 Bithead

Hello, thank you for the response.  That was the upgrade path recommended by Palo Alto tech support.  I plan on trying a different software version instead, going from 6.0.8 --> 6.1.0 --> 6.1.8.  I was told 6.1.7 or 6.1.8 is the most stable in the 6.1.x train.  We'll see if that fixes the problem.

L1 Bithead

I've finally tested for this, it does not issue a gratuitous arp out of the wan interfaces of all the VSYS's.  When issuing the 'test arp gratuitous' command to force the firewall to send out an arp packet, there is no evidence that the firewall had sent out an arp packet from the wan interfaces.  I did this both before the upgrade (which I can see the gratuitous arp) and after upgrade (no gratuitous arp).  Any more ideas folks?  -Norm

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!