11-23-2024 08:02 AM
In a Palo Alto Active-Active vWire setup, traffic entering a port on Device A is not supposed to egress from any port on Device B. The HA3 link is typically used to forward packets from the active-secondary device to the active-primary device for processing and evaluation against security policies. However, in your setup, you are observing that traffic—especially SIP and RTP traffic related to phone connectivity between clients and servers—sometimes enters the primary-active firewall, traverses the HA3 link, and then egresses from the secondary-active firewall. This behavior is causing MAC address flapping on the Layer 3 device connected to both firewalls.
To temporarily resolve this issue, I have to manually clear the inbound and outbound phone sessions from the secondary firewall.
Can some help me to understand where this issue might be.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
