Active/Active HA drops traffic in network with asymmetric routing.
22920
Created On 07/05/21 03:28 AM - Last Modified 01/09/25 05:30 AM
Symptom
- In networks with asymmetric routing, packets matching to a session owned by active-primary firewall may arrive on active-secondary or vice-versa.
- For instance a packet matching to a session owned by active-primary arrives on active-secondary and is sent to active-primary through HA3 link.
- When the packet arrives on active-primary, it gets dropped with below global counter:
flow_fwd_notopology 90 1 drop flow forward Packets dropped: no forwarding configured on interface
- Upon collecting the flow basic on active-primary, the drop reason is seen as below:
"Packet dropped, no forwarding topology configured on interface 134" >>> 134 is the interface ID seen in "show interface all".
Environment
- Palo Alto Firewalls
- Supported PAN-OS
- High Availability Active/Active
- VR sync option
Cause
- This is due to VR sync option is not checked
- When VR sync option is not enabled, the VR settings including interface setting are not synced among the Active/Active HA firewalls.
- In case the active-secondary interface which receives the packet is not configured in any VR on active-primary, then the received packet is dropped by active-primary.
- An example the interface ethernet1/23.842 on active-secondary receives the packet, same interface on active-primary is not added to any VR.
active-secondary:
name id vsys zone forwarding tag address
ethernet1/23.842 134 1 untrust vr:TU-Router 842 x.x.x.x/x
active-primary:
name id vsys zone forwarding tag address
ethernet1/23.842 134 1 N/A 842 N/A
Resolution
- To prevent the active-primary from dropping the packet, add the corresponding interface ethernet1/23.842 to a VR.
- In asymmetric network environments enabling VR sync in Active/Active HA, may not be a desirable option.