This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Perimeter FW in A/P HA directly connected to Palo Alto vwire in A/A HA

MasterBubba
L1 Bithead

‎10-23-2024 07:28 PM

the basic topology is:

Internet FW are non-palo alto in HA A/P directly connected (no switch in between) to a pair of Palo Alto in A/A HA -in Vwire mode (no Layer 3 on the Palo Alto but in transparent-zone)

then Palo Altos in A/A HA are connected to the Core switch where the rest of the environment connects to as well.

The internet FW will send a GARP in the event of a failover event. the VIP and associated mac address will be swapped between the standby and active units.

 

Issue:

#1 - When the perimeter FW in A/P HA failsover due to the internet interface issue (not the interface directly connected to the Palo Alto), we are noticing internet outages access from the users connected on the Core switch even though we validated the internet is up and working from the Internet FW, the failover process took place with issue.

#2 - We are also noticing the Internet FW session table reaching its maximum capability of 65535.

 

Questions:

#1 - #is it possible that the Palo Alto have not been made aware that the Perimeter Internet FW to which it is directly connected has undergone a failover? Does it even care or should it care

#2 - #How does the Core switch downstream the Palo Alto know to send its traffic to the Palo Alto (PA2) which is directly connected to the previously standby FW unit but now is the active FW (FW2 )due to the failover.

#3 - #Is it possible that the Palo Alto (again in vwire mode) will continue sending traffic to the now standby FW (FW1) instead of the active FW (FW2)?

#4 - In this setup, what role do the ARP, GARP, Mac address entries and updates continue to play an important role to ensure proper and optimal path selection all the way from the end-user devices connected to the core switch to the Internet FW via the Palo Alto?

 

FW1 <---> FW2

Active  --   Standby

   |                   |

   |                   |

PA1 <---> PA2

Active  --   Active

   |                   |

   |                   |

-------------------

One Core L3 Switch

-------------------

 

I am new to Palo alto but after doing a show mac all and show arp all the Palo Alto had zero entries listed in the output so it does not look like they keep track of arp or mac addresses either from the core side or upstream FW pair in Active/Standby HA mode.

Thanks for the help.

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks