HA VLAN Path-Monitoring Initiates Failover Once Enabled

HA VLAN Path-Monitoring Initiates Failover Once Enabled

11570
Created On 01/21/20 15:17 PM - Last Modified 04/20/24 02:29 AM


Symptom


  • Manual ping to the monitored destination is successful.
  • Once enabling Path Monitoring via VLAN the firewall fails over
  • Path Monitoring shows Success is 0/1. 

Environment


  • PAN-OS
  • Palo Alto Firewalls configured in HA Active/Passive
HA unit interface setup:
  • ethernet1/2(layer2)  > trust-vlan , vlan Interface: vlan.1 (192.168.80.160/24)
  • ethernet1/3(layer3)  > untrust-vlan, vlan Interface: vlan.2(10.193.82.160/23)
  • VLAN-PATH-MONITORING enabled with VLAN-PATH-GROUP: untrust-VLAN monitoring path to the Public DNS server:8.8.8.8 from source-IP:10.193.82.160
  • Monitored IP is reachable when using Ping from Source IP of 192.168.80.160.
admin@LAB-FIREWALL-NEW(active)> ping source 192.168.80.160 host 8.8.8.8
PING 8.8.8.8 (8.8.8.8) from 192.168.80.160 : 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=57 time=2.66 ms                  
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 2.532/2.664/2.796/0.115 ms
  •  Whereas "show high-availability path-monitoring" command display success rate of 0.
admin@HER-FIREWALL-NEW(active)> show high-availability path-monitoring
--------------------------------------------------------------------------------
total paths monitored :                         1
hold time to send probe packets :               1000 ms
  (after device becomes active)
--------------------------------------------------------------------------------
name/type                 destination     suc/total rtt min/max/avg (ms) probe cnt/interval(ms)
--------------------------------------------------------------------------------
untrust-vlan/vlan         8.8.8.8          0/10     0.00/0.00/0.00      10/200
--------------------------------------------------------------------------------

 

Cause


Monitored IP: 8.8.8.8 is in a different subnet as that of the VLAN interface at vlan.2 (10.193.82.160/23). 
pan_dha sends out arp request for monitored-IP: 8.8.8.8 and eventually times out leading to destination unreachable and marks HA-PATH MONITORING as down.

The reason why ping to the same monitored IP: 8.8.8.8 works from CLI is because the ARP request is sent out for the next-hop IP address of vlan.2 interface and not for 8.8.8.8.
 

Resolution


  1. Change Path-Monitoring to Virtual-Router instead of VLAN-Monitoring.
  2. Change Monitored IP address to an IP in the same subnet as that of the VLAN interface which is configured as the source for Path-Monitoring.

Additional Information



 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POJFCA4&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language