Floating IP is not getting associated with the new Active Firewall after a failover on Oracle Cloud OCI

Floating IP is not getting associated with the new Active Firewall after a failover on Oracle Cloud OCI

3639

Created On 04/10/24 08:55 AM - Last Modified 01/10/25 20:28 PM

Active-Passive

Oracle Cloud Infrastructure

High Availability

Plugins

Public Cloud

9.1

9.2

10.0

10.2

10.1

11.1

11.0

PAN-OS

VM-Series

Next-Generation Firewall

Symptom

Palo Alto VM Firewalls hosted on Oracle Cloud.
High Availability (HA) configured as Active Passive.
Failover performed from Active to Passive.
Traffic issues observed after failover.

Environment

Palo Alto VM Firewalls on Oracle CIoud
High Availability (Active/Passive)

Cause

DNS Servers configured on the Firewall are reachable through the Dataplane of the same Firewall.
After the failover, the plugin on the Active FW needs to resolve DNS to associate the floating IP to itself for processing traffic.
The Active FW is now unable to resolve the DNS as it needs to associate the floating IP first before processing any DataPlane traffic.

Resolution

Configure the DNS Servers to be reachable through the Management interface and not through the Dataplane of the Firewall.