Traffic Issues for NAT IPs after HA Failover on VM Series Platforms

Traffic Issues for NAT IPs after HA Failover on VM Series Platforms

16437
Created On 07/24/19 08:30 AM - Last Modified 10/31/19 17:55 PM


Symptom


On VM series firewalls in HA pair traffic stops working for IP addresses used in NAT statements (Other than interface IP addresses). ARP Refresh does not happen on next hop devices for Static/Destination NAT IP addresses upon HA failover.

Environment


Platform - VM Series Firewalls in HA
Environment - All Virtualization environments
 


Cause


Firewalls do not send out G-ARP for NAT IP addresses on both Hardware and VM Series platforms.

Hardware platform have a virtual MAC address on its dataplane interface which keeps floating between both the devices. This MAC address does not change in case of failover. In case of a fail-over, G-ARP for dataplane interface makes sure that next hop devices can update their L2 forwarding table, their L3 forwarding table does not need updating because the mac address stays the same. Because of this the next hop devices are still able to send the traffic to the new active firewall as the virtual MAC is now active on the other firewall.

However on VM Series Firewalls if you are using "Hypervisor assigned MAC Address", the virtual MAC address is not used. The MAC address of dataplane interface on each HA peer is unique and as specified by the hypervisor and hence MAC changes in case of failover : DIFFERENT MAC ADDRESS ON HA ACTIVE/PASSIVE PAIR IN VM-SERIES INTERFACES

This affects the traffic to NAT IP addresses because G-ARP of only the dataplane interface is not enough to update the L3 forwarding tables on the next hop devices for addresses used in a NAT policy on firewall. As firewall does not send G-ARP for NAT IP addresses and the next hop still has ARP for them with the MAC address from previously active firewall. The traffic will continue to not work till the next hop devices does a ARP query for the NAT IPs again.


Resolution


There are two solutions to this as of now-

1. Run a Test command to send G-ARP for NAT IPs from the firewall.
test arp gratuitous interface <value> ip <ip/netmask>

2. Configure all the NAT IPs on the interface of the firewall where the ARP refresh needs to happen.
 


Additional Information


Enable Use of Hypervisor Assigned MAC Addresses



Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000PMRM&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language