02-25-2016 06:44 AM - edited 02-25-2016 08:03 AM
Hello folks, need some help here. After upgrading from 6.0.8 --> 6.1.0 --> 6.1.2, the WAN interface of the upgraded device, part of an HA-Pair in active-passive mode, does not register its MAC address with an upstream directly connected L2 switch. If I fail back over to the non-upgraded device, passing of traffic resumes as normal and the WAN interface is registered in the mac-address table of the switch. Fail back over to the upgraded device and the MAC address drops from the mac-address table. Roll back the upgraded device to the original software version (6.0.8) and everything works again in the HA pair. Has anyone experienced this and what was done to overcome this issue. Appreciate any input. -Norm
02-25-2016 07:32 AM
Hello Pankaj. No, the CIDR prefix is /27. Thanks. -Norm
02-25-2016 12:44 PM
Check if you are running into this issue:
02-26-2016 08:56 AM
Thank you Pankaj. Our organization is not using any NAT policies as we are not using RFC1918 addresses. Everything is public. This issue has truly puzzled me. At this point, I am wondering if it could be a PANOS compatibility issue with our PA4050's? -Norm
02-28-2016 10:43 PM
Can you confirm that Gratuitous ARP with a new MAC is sent after the HA failover?
02-28-2016 11:08 PM
is there a specific reason for 6.1.2? this release is already about year old and may contain a bug that's causing this. I'd recommend going to 6.1.9 which is a recommended release or even 6.1.10 as this a very mature release, unlikely to cause many problems.
02-29-2016 07:07 AM
Hello, thank you for the response. That was the upgrade path recommended by Palo Alto tech support. I plan on trying a different software version instead, going from 6.0.8 --> 6.1.0 --> 6.1.8. I was told 6.1.7 or 6.1.8 is the most stable in the 6.1.x train. We'll see if that fixes the problem.
04-14-2016 11:13 AM - edited 04-14-2016 11:15 AM
I've finally tested for this, it does not issue a gratuitous arp out of the wan interfaces of all the VSYS's. When issuing the 'test arp gratuitous' command to force the firewall to send out an arp packet, there is no evidence that the firewall had sent out an arp packet from the wan interfaces. I did this both before the upgrade (which I can see the gratuitous arp) and after upgrade (no gratuitous arp). Any more ideas folks? -Norm
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
