topic Re: Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type) in General Topics

Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

Mass — Thu, 03 Aug 2017 05:46:52 GMT

We have an Active/Active PA-5050's in production with HA3 running on a single ethernet (1GB).

I need to know if there will be any packet lost (HA packet forwarding) if I change this interface from HA type to AE type/AE group (e.g. ae8). Considering that this aggregated group (ae8) has been already created and have another ethernet (1GB) already as a member up and running.

I have lab tested, making these changes on active-primary;

Changing the active/active config from ethernet interface to the new ae8

And also changing the old single HA3 ethernet interface to be the second member of this new ae8

Then commit on active-primary.

Config synced to peer, with no obvious evidence of interfaces going down or any change in firewalls states. Also, I had to change the active/active config from ethernet interface to the new ae8 on active-secondary and commit after above done.

Each of these two ethernet interfaces directly conencted to their peers on the other firewall.

Does it make sense to assume, there will be no packet lost on HA3 link or outage for customer during this process.

Re: Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

abjain — Thu, 03 Aug 2017 08:46:43 GMT

I would suspect that there may be some traffic issues. Possibly for those sessions which are already established. I would suggest to give a try with some live traffic.

Firewall has to internally create a map of ports and ids to forward the traffic.

Also MAC address linked to HA3 ports will change.

It is possible that the existing packets or sessions might see some issue during the change.

You can assume this to be same as if you change a network port from a standalone to HA or AGG port.

If you run into issues with live traffic in your lab, I would suggest open a TAC case to investigate.

Re: Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

reaper — Thu, 03 Aug 2017 09:36:18 GMT

I would not recommend doing this on a live environment outside a maintenance window

Since the HA cluster is Active/Active I assume you have plenty of asymmetrical sessions?

If you change the HA3 interface, this should not impact the firewall's ports or local processing, but this will temporarily interrupt the forwarding of packets over HA3 for remote processing.

In case of asymmetric routing, a lot of packetforwarding could be happening over the HA3 links which will negatively impact your active sessions.

Re: Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

Mass — Fri, 04 Aug 2017 00:25:24 GMT

Indeed this will be done during an agreed change window with customer. I am planning to layout the steps in a way to minimize the outage or if possible eliminate it all together.