Internet or Traffic Outage After Enabling HA

1414

Created On 03/02/23 12:42 PM - Last Modified 02/05/25 22:52 PM

NAT

High Availability

PAN-OS

Symptom

Enabling High Availability (HA) on the Firewalls.
Traffic stops working for IP addresses used in NAT statements (other than interface IP addresses).
ARP Refresh does not happen on next hop devices for Static/Destination NAT IP addresses upon enabling HA.
The IP address used for NAT is not enabled on any interfaces.

Environment

Palo Alto Firewalls
Supported PAN-OS
High Availability (HA) Active/Passive

Cause

When enabling HA, NGFWs do not send out Gratuitous ARP (GARP) for NAT IP addresses on both Hardware and VM Series platforms.
GARP is only sent for physical dataplane interfaces.
After enabling HA, hardware firewalls generate a virtual MAC address on the dataplane interface which floats between both of the HA devices.
This affects the traffic to NAT IP addresses because GARP for the physical dataplane interface is not enough to update the L3 forwarding tables on the next hop devices for IP addresses used in NAT policies.
The firewall does not send GARP for NAT IP addresses and the next hop continues to try and use the previous MAC address of the physical interface.
The traffic will not work until the next hop device does an ARP query for the NAT IPs (if supported)

Resolution

There are two solutions:

Run a test command to send GARP for NAT IPs from the firewall.

> test arp gratuitous interface <value> ip <NAT ip/netmask>

Configure all the NAT IPs on the interface of the firewall where the ARP refresh needs to happen.

Note: Because the virtual MAC address never changes there is no need to do this for the secondary firewall after failover and traffic will continue to work.

Additional Information

Example:

Firewall interface ethernet1/1 is the Internet facing interface with an IP address of 12.254.254.5/24; however, the NAT policy for internal systems to access the Internet uses source translation to mask the IP to 12.254.254.7.