Palo Alto Firewall: Active-Active Modus: Probleme mit NAT Policy

n today session we looked into and fixed the issue where NAT configured for the ipsec tunnel using floating ip is not getting applied to the traffic when HA fail over happened and peer device became primary and the commit of config also giving warning of the shadow NAT rule even though both NAT rules are configured to be binded to specific device

We looked into the running NAT policies and identified the issue where both Rules are installed into the running NAT with same device id ( id 0) eventhough rules configured has the current device ids which is reason why NAT is not applying when the failover happened

magellan@PA2(active-primary)> show running nat-policy

„BS-Card_Duesseldorf 0“ {
from TRUST;
source 10.0.0.0/8 ;
to Tunnel.013;
to-interface tunnel.13 ;
destination 195.200.194.128/26;
service any/any/any;
active-active-device-binding 0
translate-to „src: tunnel.13 10.10.10.13 (dynamic-ip-and-port) (pool idx: 3)“;
terminal no;
}

„BS-Card_Duesseldorf 1“ {
from TRUST;
source 10.0.0.0/8 ;
to Tunnel.013;
to-interface tunnel.13 ;
destination 195.200.194.128/26;
service any/any/any;
active-active-device-binding 0
translate-to „src: tunnel.13 10.10.10.13 (dynamic-ip-and-port) (pool idx: 3)“;
terminal no;
}

The root cause for the binding issue is due to configuration in NAT policy where the interface is been selected for source NAT and with floating ip . Since the Active-secondary device didnt own the floating ip on the interface it looked into the floating ip ownership and changed the device binding to active-primary at the time which owned the floating ip

To Resolve the issue , we have changed the NAT policy where we used the source translation as translated address and given the floating ip . With the changes committed we have tested the failover and traffic is getting NAT on both devices and is able to ping the remote ip successfully

— After NAT policy change
magellan@PA2(active-secondary)> show running nat-policy

„BS-Card_Duesseldorf 0“ {
from TRUST;
source 10.0.0.0/8 ;
to Tunnel.013;
to-interface tunnel.13 ;
destination 195.200.194.128/26;
service any/any/any;
active-active-device-binding 0
translate-to „src: 10.10.10.13 (dynamic-ip-and-port) (pool idx: 4)“;
terminal no;
}

„BS-Card_Duesseldorf 1“ {
from TRUST;
source 10.0.0.0/8 ;
to Tunnel.013;
to-interface tunnel.13 ;
destination 195.200.194.128/26;
service any/any/any;
active-active-device-binding 1
translate-to „src: 10.10.10.13 (dynamic-ip-and-port) (pool idx: 4)“;
terminal no;
}

I am going to talk to engineering and confirm it is expected behavior when a floating ip is used on the device which it is not the owner where binding in the installed NAT policy changes to the device id that ownd the floating ip . In mean time, pleas let me know if you have any questions or need assistance. Thank You