Different MAC Address on HA Active/Passive Pair in VM-Series Interfaces

Different MAC Address on HA Active/Passive Pair in VM-Series Interfaces

45521
Created On 04/13/19 13:36 PM - Last Modified 01/28/20 18:21 PM


Symptom


In hardware-based PAN-OS firewalls in active/passive High Availability (HA), both the Active and Passive have the same virtual MAC. Whereas in VM-Series PAN-OS firewalls, the active/passive nodes have different MAC addresses by default. This may cause the endpoint devices and/or Layer-3 devices like routers to resolve the gateway MAC address every time HA failover happens.

Please refer to the following article for more information: How to Calculate a Virtual MAC Address.

Environment


VM-Series firewall 

Cause


This behavior is due to a hypervisor assigned MAC.
For more information on this, please refer to this article: Hypervisor Assigned MAC Addresses

To check for the settings, navigate to Device tab > Management > check Use Hypervisor Assigned MAC Addresses
User-added image

This is enabled by default. Please refer to the image below, which shows the Active and the Passive device have different MAC addresses.

Active Firewall:
User-added image

​​​​​​​User-added image

Resolution


To change the default behavior of HA active/passive holding different MAC addresses, follow the steps below:

Please uncheck  "Use Hypervisor Assigned MAC addresses" and commit the changes.
User-added image

HA - Active Firewall
User-added image

HA - Passive Firewall
User-added image

NOTE: There is no option to enable or disable the use of hypervisor assigned MAC addresses on AWS and Azure. It is enabled by default for both platforms and cannot be disabled.

Caveat: You may also need to enable promiscuous mode on the hypervisor.

Additional Information


Changing hypervisor assigned may lead to split-brain if using dataplane interface for HA1 and HA1 backup. There should be no issue or action required if the management interface is used for HA1 or HA1 backup.

How to enable promiscuous mode on ESXi VMware?
Refer:https://pubs.vmware.com/vsphere-4-esx-vcenter/index.jsp?topic=/com.vmware.vsphere.server_configclassic.doc_41/esx_server_config/securing_an_esx_configuration/c_promiscuous_mode_operation.html

Default port settings in vSwitch are only allowed if traffic initiated by VMware has an assigned MAC address. Other traffic will get blocked by default, so it will bring down the HA1 link. It will lead towards split-brain condition in the HA Pair.
User-added image

HA1 link down – HA in split-brain condition
HA 1 link down. Split barin condition

To resolve this issue, we need to change the vSwitch settings from default to accept state. Then it should work as expected. The HA link will come up.
User-added image

HA Pair restored
HA pair
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PLZy&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language