MAC flap on connected switches noticed when firewall in vwire mode

MAC flap on connected switches noticed when firewall in vwire mode

14901
Created On 03/03/22 19:45 PM - Last Modified 03/10/22 00:32 AM


Symptom


  • Firewalls deployed in vwire mode
  • While serving response pages i.e, captive portal or URL block or AV threat block Firewall is encapsulating packets with wrong MAC Address (source and destination mac addresses are flipped).
  • The switch received a MAC move notification on connected L2 switches causing port going into block state impacting the networks
Example log output of switch 
nexus-10.46.192.30# show logging | inc 220

2022 Mar  9 22:27:17 nexus-10.46.192.30 %L2FM-4-L2FM_MAC_MOVE2: Mac 001b.172c.cd27 in vlan 220 has moved between Po202 to Po203

 

Environment


  • PAN-OS 8.1.10
  • Firewall in vwire mode
  • Response Page configured (AV, Captive Portal, URL Block, etc)

Cause


  • While serving response pages in vwire mode firewall is encapsulating packets with wrong MAC Address (source and destination mac addresses are flipped). This has been reported by bug PAN-139172.

Resolution


  1. Upgrade to PAN-OS 8.1.16, 9.0.10, 9.1.4, 10.0 or higher 
  2. Enable Response Page SMAC from CLI
admin@LAB(active)> set session change-smac-in-resp yes

To verify

admin@AYKPPAFW01(active)> show session change-smac-in-resp status

Enabled Status: True

Note: It is saved to config file and it is persistent across reboot and upgrades. 

 

Additional Information


PAN-OS 8.1.16 Addressed Issues
PAN-139172Fixed an issue where response pages generated from the firewall used the SMAC and DMAC addresses from the original packet, which caused a MAC flap on connected switches.


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000004NQkCAM&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language