02-18-2011 05:36 AM
Hi,
We've just had a couple of PA2020s installed in an Active-Passive HA configuration, running v3.1.7, and I'm trying to diagnose an FTP problem which may or may not be related to the installation. One thing I have discovered is that we're seeing a small amount of traffic (probably less than 1% of the total) on our standby PA2020, but just from a few specific sources. It is all marked as ‘deny’ traffic, which I guess you’d expect on a standby unit.
We’ve cleared the dynamic arp entries (using clear mac-address-table dynamic ) on our Cisco catalyst switch stack - both PA2020s go into our core stack (into ports in different switches) - which is logically a single switch.
Can anyone explain why we’re seeing any traffic at all on the standby PA? Is there a setting for the ports which we should be using on the switch port(s) to make it ‘HA-friendly’.
Thanks,
Matt
02-18-2011 08:46 AM
Hi Matt,
What type of traffic is being denied? Is it normal network traffic or could it be BPDU's from the switch trying to do STP? Best practice is to enable portfast on the switch ports connected to the firewall.
The following command may provide more insight on to the type of packets being dropped:
show counter global filter severity drop delta yes
Run this command every few seconds for a few times to see which drop counters are incrementing.
Cheers,
Kelly
02-21-2011 12:27 AM
Hi,
I've checked through and what we're seeing is almost exclusively FTP traffic being logged on the standby firewall. Is there something special about the way FTP would be handled by our switches?! (I'm seeing this on both of the interfaces which have automated ftp client activity.) At first I thought this was an ARP issue, but arp tables were cleared several times, and the FTPing systems have been rebooted several times too.
We were concerned about denied FTP packets, so we've now set the Passive Link State to 'Shutdown', so this means that I can't monitor for further misdirected packes on the HA peer just at the moment.
I can confirm that 'spanning tree portfast' is set on the switch ports we are connecting to our PA2020s, so the denied FTP packets remain a mystery :smileyconfused:
Matt
02-21-2011 02:17 PM
Not sure what could be causing this. It might be a good idea to open a Support case, but I don't see any reason why the Palo Alto firewall would be causing this. My hunch is something upstream.
Cheers,
Kelly
02-22-2011 05:12 AM
Hi,
there is a known issue on the HA feature. We have the same issue. At the moment, it's not fixed with release3.1.7
regards,
02-23-2011 02:27 AM
Many thanks for your reply bdaussin - do you know if the issue is documented anywhere on this site? I have set the passive box's interfaces to shutdown for now, as this seems to be the only way to be sure of no misdirected traffic.
Matt
08-16-2011 07:59 PM
?? How about the other end switch, shouldn’t it be expecting BPDUS and put it in blocking state. Do you have any commands and documents layer 2 traffic and operations on PA and also HA link states If passing all bpdu without processing - Is it also applicable for BPDUs from un-trusted side? Thanks
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
