Accelerated networking on HA deployments on Azure

Accelerated networking on HA deployments on Azure

24386
Created On 07/28/22 17:55 PM - Last Modified 09/10/22 03:36 AM


Symptom


  • On Azure, the PA-VM Firewall will start with MMAP packet mode instead of the DPDK in High Availability deployments.
  • This may cause reduced Performance.

Environment


  • Azure
  • PA-VM-500
  • PAN-OS 9.1.10

Cause


  • For High Availability purposes on Azure, VM-Series Firewall need an additional Dataplane interface to use as HA link.
  • NIC for HA link will not have Accelerated Networking enabled by default, but other interfaces do have it enabled,
  • DPDK is not supported with mixed Accelerated networking interfaces so the Firewall will boot up with  packet mode MMAP.
  • This MMAP mode can reduce performance.
  • Example of accelerated network disabled in the Ethernet1/3:
> debug show vm-series interfaces all
 Interface_name       Base-OS_port       Base-OS_MAC        PCI-ID         Driver        Acc-Netw
 mgt                     eth0         00:0d:3a:4f:0f:7e                    hv_netvsc
 Ethernet1/1             eth1         00:0d:3a:4f:07:06                    hv_netvsc     ON
 Ethernet1/2             eth2         00:0d:3a:53:ca:c2                    hv_netvsc     ON
 Ethernet1/3             eth3         00:0d:3a:53:ab:d2                    hv_netvsc     OFF
  • Check for DPDK status on the Firewall:
> show system setting dpdk-pkt-io
Device current Packet IO mode:       Packet MMAP
Device DPDK Packet IO capable:        yes
Device default Packet IO mode:       Packet DPDK
  • We can see from the above output that the current mode is MMAP, but the device is DPDK capable.
  • DPDK support for VM-Series firewall instances on Azure with Azure Accelerated Networking (AN) enables higher throughput.

    Resolution


    1. Enable accelerated networking on all interfaces, including HA links, except on the management interface which does not support accelerated networking.
    2. Not enabling accelerated networking on Management does not prevent DPDK mode.
    3. Refer  How to enable/disable Azure Accelerated Networking and Validate  to enable Accelerated Networking and DPDK:

    Note for enabling accelerated networking on running VM:  A supported VM size without accelerated networking enabled can only have the feature enabled when it's stopped.

    Additional Information


    Support for DPDK on VM-Series on Azure
    Other users also viewed:
    Actions
    • Print
    • Copy Link

      https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000Cqr2CAC&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

    Choose Language