topic Re: LACP in HA issue in General Topics

LACP in HA issue

niuk — Sat, 25 Jun 2016 12:47:29 GMT

I have a pair of PAN 5060 (v.7.1.2) firewalls in HA Passive/Active connected with LACP to pair of core Nexus 9000 switches. From time to time (every hour or few) connectivity to active firewall is faling (can't ping firewall LACP L3 interface ip address from core) for a few sec. When it happens I noticed presence of MAC adddress of firewall on the core switch where passive HA cluster member is connected but failover is not a case here (there is neither no reason not trace of failover). When connectivity is restored I can see MAC address of firewall back on core switch where active firewall is connected.

Re: LACP in HA issue

nextgenhappines — Sun, 26 Jun 2016 01:12:05 GMT

1. Any pattern/specific time frame when does this issue happen?

1. Have you try to run continue ping from a host behind the firewall to outside of the firewall?

2. Have you try to turn off LACP on the firewall and 9K ?

-E

Re: LACP in HA issue

niuk — Sun, 03 Jul 2016 11:17:25 GMT

No specific time frame, every hour or few. I've not try to turn off LACP neither ping from host behind the firewall to outside of the firewall. I was advised to trigger a GARP and catpure it.

Re: LACP in HA issue

pulukas — Sun, 03 Jul 2016 11:39:03 GMT

Can you confirm that spanning tree is not enabled on the Nexus ports and potentially moving to blocking on the active link port.

If there is no spanning tree, then TAC is correct no mac migration should occur outside of a bug in the PanOS causing the passive device to arp this address. the packet captures should confirm the exact behavior.

Re: LACP in HA issue

niuk — Wed, 06 Jul 2016 12:23:32 GMT

Spanning tree is enabled on switch for that vlan where firewalls lives in. But there was no changes of active ports when firewall MAC appeared (on switch where Passive is connected)

Re: LACP in HA issue

OtakarKlier — Fri, 08 Jul 2016 21:23:47 GMT

Hello,

I agree with pulukas, try disabling spanning tree on just those ports where the PAN's are connected and see if that resolves the issue.

Regards,

Re: LACP in HA issue

pulukas — Sun, 10 Jul 2016 11:01:37 GMT

If there is no spanning tree port status change, then this does have to be a bug. The mac move should not occur in that scenario.