We are in the midst of transitioning to Palo Alto firewalls from Cisco ASAs.
Set up is Active/Active HA with a 10GB link connecting the Palo Alto HA pair. Using our old ASA set up and just management ports on the Palo's connected to the network, I can ping and load HTTPS of the management interface of the Palo Alto without issue from the opposite side site (Site A->Site B; Site B->Site A).
Once we move production traffic from the ASAs to the Palo Altos, I can still ping the management interface of the opposite site Palo Alto, but cannot load HTTPS, receiving connection reset in the web browser. We see this issue across a few other VLANs as well.
HTTPS is allowed in the management profile and it clearly works when we just have PA management hooked to the network while still using the ASAs.
A diagram of the set up can be seen here: https://i.imgur.com/RrPFxq9.png
All traffic primarily goes over the 10GB link and spanning tree holds down the VLANs on our back up 500MB link. We have confirmed spanning tree is operating as expected (blocking cross-site port for all VLANs on the 500MB line) and traffic is flowing across the 10GB link.
I'm stumped at the moment as to where asymmetrical routing may be occurring, or if that is even part of the problem.
No comments:
Post a Comment