Traffic redirection behavior with Palo Alto East / West SI during Host failure or HA failover scenario
search cancel

Traffic redirection behavior with Palo Alto East / West SI during Host failure or HA failover scenario

book

Article ID: 325074

calendar_today

Updated On:

Products

VMware vDefend Firewall

Issue/Introduction

  • NSX Service Insertion (SI) configured in the environment

  • High Availability(HA) is configured in vSphere cluster that contains Partner SVMs 

  • Traffic is no longer redirected after HA failure of SVM 



Environment

VMware NSX-T Data Center

Cause

vSphere HA is not supported with SVMs for East/West traffic. Hence traffic redirection will not work as expected when vSphere HA powers on the SVM on another Host after a failover event. 

Resolution

Disable High Availability for SVMs configured for East / West traffic. 


Additional Information

Procedure to put a host in maintenance mode when SVM is running: 

  1. Put the SVMs into maintenance mode (see partner documentation for procedure) on the host that’s about to be updated
  2. Wait for traffic to drain
  3. Power off the SVM
  4. If needed, migrate it elsewhere, power it on at the destination and wait for it to become available again
  5. Put the host in maintenance mode and perform whatever maintenance is needed.
Is restarting a SVM from vCenter or Partner GUI supported? 
Rebooting a SVM is supported however traffic disruption will happen when doing so. Use SVM maintenance mode (see partner documentation for procedure) for any scheduled maintenance operations.  

Impact/Risks:
Traffic redirection will not work as expected after High Availability or host failure

 

Powered by Wolken Software