About VMAntonenko

Hello, We faced a problem with reliable connection of Palo-Alto firewall HA A/P pair to not stackable pair of switches/routers (i.e. Cisco 6500, Huawei NE40E ) with static routing and FHRP. To make this connection we used one VLAN-interface + 2 L2 interfaces on the side of Palo-Alto HA A/P cluster, and SVI + HSRP(VRRP) + L2 interfaces on the switch-pair side. Physical topology is full-mesh (each firewall connected to each switch) In normal situation two switches and firewall formed a L2-triangle, and secondary root switch blocked interface faced to firewall. Connection worked fine, until we reboot one switch (STP primary root). After rebooting switch, services was not interrtupted yet. Earlier mentioned port on secondary root switch transited to forwarding state, firewall learnt mac-addresses via one remaining L2-interface (i.e. Eth2), at this step network still works fine. After STP primary root switch loaded, it became the STP-root again, L2 triangle formed, and porton the secondary root switch faced to Eth2 transited to blocked state, but firewall did not knew this and continued to forward packets via Eth2 interface by MAC-entries learnt while first switch was down. This situation caused service interruption that was addressed by manual clearing arp-table on firewall, after that firewall learned new entries via interface faced to STP primary root switch. Is there any validated configuration example to achive reliable connection in this environment. Some vendors has "Redundant Interface" functionality to achieve this, but we can't find any similar solutions on Palo-Alto firewalls. We use VRRP and static routing to keep configuration simple. ... View more

Hello.   There is a question about OSPF adjacency flapping caused by minor changes in OSPF process.   I planned data-center deployment of PA-5060 HA-cluster. In this plan PA-5060 needs to be attached to OSPF AREA 0, and multiple NSSA areas in different security  zones. Number of multiple areas non constant and in will be increasing in the future with deploying new DMZs.   When i configured this, i noticed that some changes in OSPF causes adjacancy reestablishing with peers when configuration is commiting.   For example:  Creating new interface/subinterface and attacing it to existent OSPF area commits without interruption. Creating new area, even without interfaces belongs to it, commits with reestablishing all existent OSPF adjacancies and service interruption.   Precisely OSPF peers receives one-way hello from PA (hello packet with empty neighbors list) and goes to Init state.   In this scenario deploying of any new DMZ will cause service interruption in whole data-center segment.   Is this a normal behaviour of PA?  Are there any workarounds? GR or something.   I found an article in community. https://live.paloaltonetworks.com/t5/Management-Articles/Commit-Causes-OSPF-Adjacencies-to-go-Down/ta-p/53408 But it dated 2012. Is this fixed now?   Thanks in advance.   ... View more