topic Re: Port Channels in a Active / Passive VWire Environment in General Topics

Port Channels in a Active / Passive VWire Environment

mlinsemier — Fri, 04 Nov 2016 14:49:52 GMT

We have a couple instances in our environment where we are using VWire where port-channels are located on either side of the Palo Alto device. Also, in this cases, we are running a Palo Alto cluster in Active/Passive HA.

In all cases that I have tried, either with LACP (using pre-negotiation) as well as non-LACP (channel mode on), I am unable get any configuration to work. As soon as the second port in the channel comes up on the passive Palo Alto firewall, traffic stops routing.

The most simple configuration is this:

Cisco 6509 #1 G1/3 ---> Port Channel ( Palo Alto VWire Active ) Port Channel <--- G0/0 Router #1

Cisco 6509 #1 G2/3 ---> Port Channel ( Palo Alto VWire Passive ) Port Channel <--- G0/1 Router #1

In channel mode on, it appears to the switch that both of the ports are participating in the Port Channel, however obviously only one of them G0/0 is up as the other Palo Alto is in Passive mode (Auto) where the port is brought up but no traffic is forwarding. If i shut down the second port in the Port Channel, traffic begins routing as normal.

Does anyone here have any expereince with this and is this even feasible in an Active/Passive configuration? I really need that sub second response that you get in a Layer 3 Active / Passive configuration. I have tested channel mode on PAN-OS 7.0.8 and LACP pre-negotiation on PAN-OS 7.1.4h2 both with the same results.

Matt

Re: Port Channels in a Active / Passive VWire Environment

RFalconer — Fri, 04 Nov 2016 18:14:17 GMT

On gig1/3 and gig2/3, do you have 'no switchport' configured? It almost sounds like bpdus are getting across the HA link and being sent back down the passive link.

Have you done a packet capture on the vwire interface during the port channel failure facing gi2/3 to see if anything is egressing?

Re: Port Channels in a Active / Passive VWire Environment

mlinsemier — Fri, 04 Nov 2016 22:06:57 GMT

This is a L2 VWire, not a L3 implementation. The Palo Altos sit as a bump-on-the-wire device transparently. They don't participate directly in any port-channel configurations.

Re: Port Channels in a Active / Passive VWire Environment

epeeler — Fri, 29 Sep 2017 14:31:20 GMT

Did you ever get a resolution to this?

Re: Port Channels in a Active / Passive VWire Environment

TomMeadows — Sun, 01 Oct 2017 09:55:10 GMT

I too would be interested to know if it is possible to use port-channels as a resilience model in an Active-Passive Palo Alto environment. Does anyone do this, or know whether it is possible?

Thanks,