Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit due to DNS issues

Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit due to DNS issues

10062
Created On 03/17/20 21:29 PM - Last Modified 04/06/20 16:28 PM


Symptom


Upon HA failover, the newly active firewall instance cannot pass traffic. Looking up on the Azure Console, we notice the Secondary IP(s) of Azure Network Interface(s) did not transfer to newly active firewall instance despite having correct IAM Roles and Internet connectivity.

  • Review Plugin logs to understand and verify the failure events on the active firewall:

  • less mp-log pan_vm_plugin.log 

> pan_vm_plugin.log  logs:

2020-02-01 06:53:33.048 -0800 vm_ha_state_trans INFO: : Instance running in region 'uksouth'
2020-02-01 06:53:53.068 -0800 vm_ha_state_trans INFO: : Getting Azure token failed with exception <urlopen error [Errno -3] Temporary failure in name resolution>
2020-02-01 06:53:53.068 -0800 vm_ha_state_trans INFO: : Failed to get Azure Access Toke

  • Above log snippet shows API calls made by the VM-Series plugin to Azure services failed because firewall could not resolve FQDN.

  • Verify DNS server is configured under Device > Setup > Services > Primary DNS Server

  • Check connectivity from management interface to DNS server using ping. If this fails, troubleshoot network connectivity from Firewall to DNS server

  • If ping succeeds that implies, we have layer 3 connectivity, perform traceroute to identify any devices in path.

  • Perform tcpdump on management interface of the firewall to verify DNS requests are sent out

> tcpdump filter “host <dns_server_IP>”

  • Verify Azure Network Security Group attached to management interface and subnet is allowing UDP port 53 traffic towards the DNS server

Environment


  • Platform: VM-Series Firewall
  • PAN-OS / Plugin Version : 9.0.1 / -
  • Deployment: Azure

Cause


  • Firewall is unable to resolve DNS for Azure services.

Resolution


  1. Ensure valid DNS server is configured on PA-VM.

  2. Allow DNS UDP port 53 traffic towards configured DNS server in Azure Network security group attached to subnet/Management (Eth0) Network Interface.

  3. The DNS resolution can also fail because of following reason:

a. if Management subnet in Azure Console does not have route to internet o

b. Internet traffic for the management subnet is routed through Trust interface of PA-VM

        4. Missing public IP on the management (Eth0) Network interface.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PP4uCAG&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail