Microsoft Hyper-V VM-Series HA2 link flaps when using NIC teaming on Windows Server

• Active and passive PA-VMs with HA2 keepalives enabled are each on different Windows Server hosts with Microsoft Hyper-V installed.
• The hosts are connected to network switches using Windows Server NIC teaming in Switch Independent mode with Dynamic load-balancing.
• When load balancing, said mode replaces the VM network adapter's source MAC address with that of one of the physical interfaces of the NIC team.
• On the HA2 links, the peer PA-VM receives the packet with a source MAC address different from that of the HA2 interface of its peer and drops it.
• The HA2 and HA2 backup links therefore flap continuously under heavy traffic load triggering link load balancing.
• System logs (show log system) report HA2 keep-alive down messages

critical ha             ha2-kee 0  HA Group 1: Local HA2 keep-alive down

• Microsoft Windows Server 2012(R)/2016
  • Microsoft Hyper-V
  • NIC team in Switch Independent mode with Dynamic load-balancing
  • External virtual switch connected to NIC team
• Active/Passive High Availability (HA) VM-Series firewall pair
• PAN-OS 10.1.5-h1
• Network switch(es) connecting hosts

• HA2 and/or HA2 backup links expect to receive HA2 keep-alives only with the source MAC address of its peer PA-VM's Hypervisor-assigned MAC address of its virtual network adapter.
• Since the MAC address of the source is changed, they are dropped.