Floating IP routes are not redistributed after upgrading to 8.1.11 or 9.0.5 and higher version

Floating IP routes are not redistributed after upgrading to 8.1.11 or 9.0.5 and higher version

12718
Created On 01/31/20 19:45 PM - Last Modified 06/30/20 21:28 PM


Symptom


  • After upgrading PAN-OS to version 8.1.11/ 9.0.5 or higher, customer losing redistributed routes related to Virtual IP address.
  • The customer has a PA-5220 in active active mode with Multi-Vsys enabled.
  • Prior to PAN-OS 8.1.11 the floating IP addresses appear in the routing table as static route and in the
    PAN-OS 8.1.11 the floating IP route appears as the host route.
  • The customer has a redistribution profile which has been called in the OSPF.
  • The redistribution profile contains filter as static route.
  • In PAN-OS 8.1.10 the routes were getting redistributed correctly.
  • But after the upgrade, the routes are to redistributed separately in the export rule because the host routes cannot be redistributed.
  • The customer has multiple firewalls in different PAN-OS versions in which he is able to redistribute floating IP as the static route.
  • The behavior is observed across all the platforms.
     

Environment


  • PA-5220 (but present in other platforms as well)
  • PAN-OS 8.1.11
  • HA A/A
  • Multi-VSYS with over 200+ vsys' established
  • Virtual IP is redistributed 

Resolution


This is expected behavior due to an enhancement found in PAN-OS v.8.1.11 where commits are failing with a high number of VSYS instances with floating IP addresses.

The fix is to modify the redistribution of floating IP addresses from static route configuration to host-routed redistribution.  

Example of redistribution output in PAN-OS v 8.1.10 and older versions: 
Interface info 
================
> show high-availability virtual-address

Total interfaces with virtual address configured:   1
Total virtual addresses configured:                 1
--------------------------------------------------------------------------------
Interface: loopback.1  Virtual MAC:               b4:0c:25:ea:40:03  
Virtual MAC from the peer: b4:0c:25:fa:40:03  192.168.20.1          Active:yes Type:floating   Pri-Bind:no

Route info 
=========
>show routing route  
192.168.20.1/32                             0.0.0.0                                 0      A S


Example of redistribution output in PAN-OSv 8.1.11 and newer:
  
Interface info
================
> show high-availability virtual-address
Total interfaces with virtual address configured: 1
Total virtual addresses configured: 1
--------------------------------------------------------------------------------
Interface: loopback.1
Virtual MAC: b4:0c:25:ea:40:03
Virtual MAC from the peer: b4:0c:25:fa:40:03
192.168.20.1 Active:yes Type:floating Pri-Bind:no
Route info
=========
>show routing route
192.168.20.1/32 0.0.0.0 0 A H

 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000POUmCAO&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language