Secondary IP(s) of Azure Network Interface(s) do not move to newly active unit with message “Put Request Failed: 429”
Symptom
Upon HA failover, the newly active firewall instance cannot pass traffic. Looking up on the Azure Console, we notice the Secondary IP(s) of Azure Network Interface(s) did not transfer to newly active firewall instance with pan_vm_plugin.log message “Put Request Failed: 429”.
-
Review Plugin logs to understand and verify the failure events on the active firewall:
> less mp-log pan_vm_plugin.log or
> tail follow yes mp-log pan_vm_plugin.log
2020-02-12 05:21:21.588 -0800 vm_ha_state_trans INFO: : URL for put request: https://management.azure.com//subscriptions/810dd244-8648-42e6-9fb1-b1df5817f269/resourceGroups/fisglobal/providers/Microsoft.Network/networkInterfaces/vmseries10-fisglobal-eth2?api-version=2019-08-01
2020-02-12 05:21:21.947 -0800 vm_ha_state_trans INFO: : Put Request Failed: 429
2020-02-12 05:21:21.947 -0800 vm_ha_state_trans INFO: : URL: https://management.azure.com//subscriptions/810dd244-8648-42e6-9fb1-b1df5817f269/resourceGroups/fisglobal/providers/Microsoft.Network/networkInterfaces/vmseries10-fisglobal-eth2?api-version=2019-08-0
-
Above log snippet shows API calls made by the VM-Series plugin to Azure Fabric could, where PUT request to detach the the secondary IP(s) failed repeatedly
Environment
- Platform: VM-Series Firewall
- PAN-OS / Plugin Version: 9.0.5 / -
- Deployment: Azure
Cause
- The issue is seen when virtual machine name in Azure console and in PAN-OS configuration do not match.
Resolution
1. By default, PANOS inherits the host name from the Virtual machine name in Azure console, it can be different if user had manually changed host name in PAN-OS
2 .In the following Example, the Virtual machine name is vmseries10 in Azure console and FW1 in PAN-OS.
4. You may have to configure secondary IPs if it dis-appeared from Network Interface of the both units.