About efellows

Hi all,     I have a client which run a stretched active/active HA cluster with a dark fiber between them. So HA1, HA2, HA3 links are not really cables, but layer2 VLANs. It seems fine, as it has somehow worked a long time, but this is what I’ve noticed: When I issue “show counter global filter severity drop”: efellows@palo-alto-1(active-primary)> show counter global filter severity drop Global counters: Elapsed time since last sampling: 1.220 seconds name                                   value     rate severity  category  aspect    description -------------------------------------------------------------------------------- pkt_recv_err                               5        0 drop      packet    pktproc   Packet receive error flow_rcv_err                             165        0 drop      flow      parse     Packets dropped: flow stage receive error flow_policy_deny                         306        0 drop      flow      session   Session setup: denied by policy flow_tcp_non_syn_drop                  99371        9 drop      flow      session   Packets dropped: non-SYN TCP without session match flow_fwd_ip_df                             7        0 drop      flow      forward   Packets dropped: exceeded MTU but DF bit present flow_parse_l4_cksm                        42        0 drop      flow      parse     Packets dropped: TCP/UDP checksum failure flow_parse_l4_port                        96        0 drop      flow      parse     Packets dropped: illegal TCP/UDP port 0 flow_action_close                     193599       19 drop      flow      pktproc   TCP sessions closed via injecting RST flow_action_reset                      32715        0 drop      flow      pktproc   TCP clients reset via responding RST flow_host_decap_err                       12        0 drop      flow      mgmt      Packets dropped: decapsulation error from control plane tcp_drop_decrypt_packets                   3        0 drop      tcp       pktproc   number of decrypted packets get dropped ha_aa_pktfwd_err_decap                 35620        0 drop      ha        aa        Active/Active: packet-forwarding decap error proxy_url_request_pkt_drop                35        0 drop      proxy     pktproc   The number of packets get dropped because of waiting for url category request in ssl proxy url_request_pkt_drop                    4836        0 drop      url       pktproc   The number of packets get dropped because of waiting for url category request -------------------------------------------------------------------------------- Total counters shown: 14 -------------------------------------------------------------------------------- I see a lot of ha_aa_pktfwd_err_decap drops and they are constantly growing. I’ve seen in the Active/Active HA guide that HA3 link can be layer2 link, but it MUST support jumbo frames end to end. Right now that’s not the case, because they are going through the core switch which must be rebooted to enable jumbo frames which can not be done easily. I have not yet enabled globally jumbo frames on the PA devices neither. So my questions are:   Is this something normal or is it a sign of a problem? Do you expect to be fixed if we enable jumbo frames on PA devices and on the network switches end to end? The old devices (PA-2050) ran exactly the same setup and configuration. Unfortunately I have not checked this counter on them. But I checked that PA-2000 does not support jumbo frames at all. At the same time it is said that when running active/active jumbo frames are a must. And PA-2000 normally support active/active. So what’s the true here? How does PA-2000 run active/active and transmit packets over HA3 when they do not support jumbo frames and how this affects operations? ... View more

Hello all, I've checked all docs and guides and did not find any documented limitations (such as features not available) when PA is deployed in virtual wire mode. Does this mean that ALL possible features are available both in routed and VWire mode? For example: if I deploy PA in VWire mode between the Internet router and a L3 Core switch with multiple VLANs. This means that the actual clients/users will not be in the same broadcast domain where the PA is sitting. Nevertheless PA has no IP addresses set, therefore no routing table at all. Should this affect somehow at least some of the features? For example if the PA has to send a TCP reset to a client/server in the inside BEHIND the core swtich. Will this be routed/forwarded properly when there's no routing table at all? The above was just an example, there might be many more similar cases. Thanks in advance! ... View more