High Availability Clusters of Palo Alto Networks Devices Have the Same Virtual MAC Address

High Availability Clusters of Palo Alto Networks Devices Have the Same Virtual MAC Address

3060
Created On 09/27/18 10:54 AM - Last Modified 06/13/25 18:22 PM


Resolution


Issue

Two Palo Alto Networks devices from different High Availability (HA) clusters have the same virtual MAC address:

admin@Cluster01(active)> show arp all

interface         ip address     hw address         port          status   ttl

--------------------------------------------------------------------------------

ethernet1/3.129   10.15.63.10    00:1b:17:00:01:12  ethernet1/3   c        1410

 

admin@Cluster02(active)> show arp all

interface         ip address     hw address         port          status   ttl

--------------------------------------------------------------------------------

ethernet1/3.129   10.15.63.15    00:1b:17:00:01:12  ethernet1/3   c        1615

 

The MAC address can also be checked with following command:
>show interface etherenet1/1

User-added image

 

Resolution

The issue only happens when the HA clusters are configured with the same HA Group ID and is resolved by configuring different group ID for the HA clusters. When HA is enabled, a virtual MAC address is applied to all interfaces of the firewall. This virtual MAC address is generated based on the Group ID.

 

See Also

How to Calculate a Virtual MAC Address

How to Change the HA Group ID

How to Track Switch Ports Associated with HA Active/Passive Pair if Physical Access is Not Available

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CmAnCAK&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language