This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Who Me Too'd this topic

Active-Active NAT Rule Binding

CHammock
L2 Linker

‎04-18-2016 12:54 PM

I can't find anything which goes into enough detail on Active-Active design around NAT and more importantly ARP.

The easiest way to explain the current deployment is as follows:

  • Site 1 / Firewall A
  • Site 2 / Firewall B

Each firewall is connected to unique networks and routers internally and externally.

 

The expectation is to provide redundancy by putting both firewalls in HA A/A and setting floating addresses so that each firewall will be the primary for its site as listed above but in the event of a site or firewall failure the remaining firewall will take over both site and firewall responsibility.

 

From a network point of view we have L2 connectivity for all networks across both sites. The A/A config is such that floating IPs mean the correct firewall will ARP for the correct addresses for that site. Everything works fine apart from the NAT. DeviceID 0 is Primary, DeviceID 1 is Secondary

 

Destination NAT for Site 1 is fine. I have bound all destination NAT rules for Site 1 to the “Primary” device.  So Firewall A arps for all destination NAT addresses.  If Firewall A fails the remaining device becomes primary and ARPs for all destination NAT addresses.

 

The Problem 1:

Destination NAT for Site 2 can only be bound to DeviceID 1 which means if it fails the remaining firewall doesn’t arp for the Destination NAT. If I change the NAT binding to both I get an arp conflict for the IP as both firewalls are on the same L2 network and its hit and miss as to which firewall the routers send the traffic.

 

The Problem 2:

Source NAT can only be bound to DeviceID 0 or DeviceID 1. Which means similar to problem 1 I either get no failover or an ARP conflict.

 

I feel like the solution is to have a "Secondary" bind option and to allow Source NAT rules to be able to be bound to both Primary and Secondary devices.

 

Am I missing something from the network design or is this a limitation of the Active-Active Technology. A work around would be to disable the NAT rules from ARPing and it all being managed by the HA floating address configuration.  Is there a CLI command to disable NAT rule ARPing?

 

Any advice appriciated.

1 person had this problem.
0 Likes Likes
Who Me Too'd this topic
LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks