HA Firewalls in different Cluster have the Same MAC Addresses for network interfaces
1629
Created On 02/08/23 18:09 PM - Last Modified 01/12/24 23:10 PM
Symptom
- Firewalls that are not in the same HA Cluster (i.e., in the same HA Active/Passive pair) may have the same network interface MAC addresses.
- This may be the case even when these separated firewall are not in the same data center, nor in the same VLANS.
Environment
- PAN-OS 8.1 and above.
- Palo Alto Firewalls
- High Availability (HA) Active/Passive
Cause
- When HA is enabled a virtual MAC Address will be applied to all of the firewall's network interfaces.
- These MAC Addresses are generated based on the HA Group ID configured.
- Different HA clusters using identical HA group ID will have the same MAC addresses.
Resolution
- When HA is configured, Virtual MAC addresses are generated and used instead of the local MAC addresses.
- The Virtual MAC address are generated based on the Group ID configured on HA.
- When multiple HA clusters use the same Group ID, the same MAC address is generated.
- If both HA Clusters are used in the same network then mis-forwarding may occur due to the use of same virtual MAC address.
- If the HA Clusters must be on the same VLAN, use different Group IDs for different clusters.
Additional Information
Example: The following shows a PA firewall's Network Interface MAC Addresses
- Before enabling HA, The MAC addresses are as below. Interfaces 1/1, 1/3 and 1/6 enabled for testing:
> show interface all
total configured hardware interfaces: 3
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 ukn/ukn/down(autoneg) 84:d4:12:52:37:10 <<< Here
ethernet1/3 18 ukn/ukn/down(autoneg) 84:d4:12:52:37:12 <<< Here
ethernet1/6 21 ukn/ukn/down(autoneg) 84:d4:12:52:37:15 <<< Here
<SNIP>
> show high-availability all
HA not enabled
- After enabling HA with Group ID 1, the Network interface's MAC addresses changes as below. They are the same MAC for Group ID 1 on any HA Active/Passive firewalls.
> show interface all
total configured hardware interfaces: 3
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 ukn/ukn/down(autoneg) 00:1b:17:00:01:10 <<< Here
ethernet1/3 18 ukn/ukn/down(autoneg) 00:1b:17:00:01:12 <<< Here
ethernet1/6 21 ukn/ukn/down(autoneg) 00:1b:17:00:01:15 <<< Here
<SNIP>
(active)> show high-availability all
Group 1: <<<<<<<<<<<<<<<<<<<<<<< Here Group1
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
State: active (last 15 seconds)
<SNIP>
- Changing HA Group ID to Group 2 (instead of Group1 as seen above) the MAC addresses are updated to use :02: for the second to last octet:
(active)> show interface all
total configured hardware interfaces: 3
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 ukn/ukn/down(autoneg) 00:1b:17:00:02:10 <<< Here
ethernet1/3 18 ukn/ukn/down(autoneg) 00:1b:17:00:02:12 <<< Here
ethernet1/6 21 ukn/ukn/down(autoneg) 00:1b:17:00:02:15 <<< Here
<SNIP>
(active)> show high-availability all
Group 2: <<< Here
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive
<SNIP>
- When using HA Group 63 and the network interface's MAC now switched to :3F: for the 2nd to last octet (Hex value of 63)
(active)> show interface all
total configured hardware interfaces: 3
name id speed/duplex/state mac address
--------------------------------------------------------------------------------
ethernet1/1 16 ukn/ukn/down(autoneg) 00:1b:17:00:3f:10 <<< Here
ethernet1/3 18 ukn/ukn/down(autoneg) 00:1b:17:00:3f:12 <<< Here
ethernet1/6 21 ukn/ukn/down(autoneg) 00:1b:17:00:3f:15 <<< Here
(active)> show high-availability all
Group 63: <<< Here
Mode: Active-Passive
Local Information:
Version: 1
Mode: Active-Passive