Traffic is silently discarded/dropped in Active/Active HA implementation

• FW1 receives an initial packet for a new session and becomes the session owner.
• FW1 finds out that FW2 is the session setup, so it forwards the packet via HA3 to FW2. 
• Once the packet is received by FW2, it does the slowpath and determines ingress and egress interfaces during the session setup.  
• FW2 then sends the packet back to FW1, using HA3 link for Layer 7 processing, if any. 
• FW1 attempts to forward the packet out the egress interface to the destination based on the session information received from FW2.
• If the egress interface or sub-interface number in the session received from FW2 differs from the egress interface or sub-interface configured on FW1, the packet gets discarded.
• As a result, the global counters ha_aa_session_setup_too_many_retry, flow_no_interface and flow_arp_rcv_err may increment when the issue is taking place.

• The packet capture taken on the firewall will show dropped SYN retransmissions

• PAN-OS: All
• High Avalability: Active/Active

• Active Primary: ethernet1/7.40 VLAN ID 40
• Active Secondary: ethernet1/7.30 VLAN ID 30

• Active Primary: ethernet1/1
• Active Secondary: ethernet1/2

Change the sub-interface numbers or interfaces to make them identical on both firewall nodes. The VLAN IDs may remain unchanged.

Example:

• Active Primary: ethernet1/7.40 VLAN ID 40
• Active Secondary: ethernet1/7.40 VLAN ID 30

• Active Primary: ethernet1/1
• Active Secondary: ethernet1/1

In Active/Active HA implementation, session owner and a session setup roles can be assigned to different FW nodes. For more information, please consult PAN-OS Administrator’s Guide via the following link:

https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/high-availability/ha-concepts/session-setup