'X-Posted from Palo Alto SubReddit'
Ok folks, got a strange one:
My setup consists of two ASAs in an HA pair in front of two Palo Alto 5220s in an Active/Secondary state behind them. Reason being is we use the ASAs for basic filtering and vpn and use the Palos for inspection and url filtering etc. We have a virtual-wire on each palo that splits a connection between an interface on the ASA and a basic layer two switch. When we turn up the virtual wire that is passing traffic between the ASAs (5 vlans/sub-interfaces), failover on the ASA breaks and we can't figure out why.
I found the article online below, but his suggestion didn't work. The TL;DR of the article is that Cisco tags additional vlans onto each subinterface so HA heartbeats will work.
I've allowed those vlans through the wire and have even left it alone at default. I checked captures and the traffic monitor and I see Palo is indeed allowing traffic through for SCPS (ip protocol 105) and all vlans, but the ASAs cannot communicate with one another until I remove Palo from the equation. Has anyone else had this occur?
https://www.somewolfe.com/2016/09/27/pan-virtual-wire-with-cisco-ha-pair/
Thanks!
No comments:
Post a Comment