Problems with Aggregate Ethernet in HA configuration

LCMember4164 — Fri, 02 Mar 2012 16:10:00 GMT

Hi all,

i'm setting up two PA 5020 in Active/Passive HA and I'm having some problems with Aggregate interfaces. I'm using 4 ethernet interfaces per device:

ae.1 - trust zone (two physical ethernet interfaces)

ae.2 - untrust zone (two physical ethernet interfaces)

The device is operating in L3 mode with static routes. If I use a single device, all works flawlessly.

If i try to enable HA i start getting packet loss (>5-10% in a LAN environment).

If i try to shutdown one of the ports for each port-channel, i'm still getting packet loss.

I've also tried to reconfigure the HA pair without Aggregate interfaces and in this case all works perfectly.

I really cannot undestand why i'm getting so much packet loss, it doesn't seem to be just an aggregate ethernet issue, because with a single device it works... it also doesn't seem to be only an ha issue, because in ha without aggregate ethernet interfaces it just works perfectly... but when i'm using both ae and ha it just blows up 😞

On the switch side, all seems ok, no errors, nothing strange.

Here some configuration snippets, maybe it's just a stupid issue... i'm a newb with this gear 😉

The switch configuration ( cisco 3750 right now, also tried with a 6509 with the same results):

interface Port-channel9
description * FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel10
description * FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel19
description * FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel20
description * FW2 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface FastEthernet1/0/1
description * PAN-FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 9 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/2
description * PAN-FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 9 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/3
description * PAN-FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/4
description * PAN-FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/13
description * PAN-FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 19 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/14
description * PAN-FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 19 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/15
description * PAN-FW2 Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 20 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/16
description * PAN-FW2 Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 20 mode on
spanning-tree portfast trunk
!

Re: Problems with Aggregate Ethernet in HA configuration

jhansf5 — Sat, 03 Mar 2012 01:39:57 GMT

Am I correct in understanding that the AE config works when you don't have HA enabled?

If so, can you share your HA config?

Re: Problems with Aggregate Ethernet in HA configuration

LCMember4164 — Sat, 03 Mar 2012 10:58:37 GMT

Yes you are right, attached you'll find my ha config!

I'm not using preemption and link monitoring right now. The only thing i added just to be sure is a backup dataplane link. All the links are directly connected between the firewalls with cross cables.

I also tried to change the Passive Link State to Auto, as suggested by the documentation, but the problems persist...

thanks!

marco

Re: Problems with Aggregate Ethernet in HA configuration

jhansf5 — Mon, 05 Mar 2012 16:54:32 GMT

I don't see anything obviously wrong (though since is an L3 deployment, you should change interface state back to 'auto').

What is happening with spanning tree during the packet loss?

Is anything logged to the switch, or to the system log on the firewall?

Can you check interface stats on the switch and the firewall to see if there are any interface errors?

Re: Problems with Aggregate Ethernet in HA configuration

LCMember4164 — Tue, 06 Mar 2012 15:02:35 GMT

Problem solved.

Just updated PAN-OS version from 4.1.1 to 4.1.3 and now it's working!

btw didn't find anything in the release notes...

Re: Problems with Aggregate Ethernet in HA configuration

jhansf5 — Tue, 06 Mar 2012 18:57:11 GMT

Excellent! Glad it is working.

topic Re: Problems with Aggregate Ethernet in HA configuration in General Topics

Problems with Aggregate Ethernet in HA configuration

Re: Problems with Aggregate Ethernet in HA configuration

Re: Problems with Aggregate Ethernet in HA configuration

Re: Problems with Aggregate Ethernet in HA configuration

Re: Problems with Aggregate Ethernet in HA configuration

Re: Problems with Aggregate Ethernet in HA configuration