topic LCAP down on Passive Firewal in General Topics

LCAP down on Passive Firewal

AbdulRahman_Safwat — Fri, 22 Mar 2019 14:33:55 GMT

Hello team,

In an HA environment, with pre-negotiation for LCAP disabled , but passive link state set to "Auto" in the HA configuration, if all physical interfaces show as up, is the AE (Aggregated Interface) supposed to be up or down, as the partner (Cisco Switch) is showing suspended on the LCAP interface.

Also from PA the CLi is showing no partner:

AE group: ae1
Members:          Bndl Rx state       Mux state  Sel state
  ethernet1/1    no   Defaulted      Detached   Unselected(Link down)
  ethernet1/2    no   Port Disabled  Detached   Unselected(Link down)
Status:           Enabled
Mode:             Active
Rate:             Slow
Max-port:         8
Fast-failover:    Disabled
Pre-negotiation:  Disabled
Local:            System Priority: 32768
                  System MAC:      00:56:4c:60:32:45
                  Key:             19
Partner:          System Priority: 0
                  System MAC:      00:00:00:00:00:00
                  Key:             0
Port State
--------------------------------------------------------------------------------
Interface                 Port                                
              Number Priority  Mode    Rate  Key      State
--------------------------------------------------------------------------------
ethernet1/1   74     32768    Active  Slow  19       0x45
Partner        0      0        Passive Slow  0        0x00

ethernet1/2   75     32768    Active  Slow  19       0x45
Partner        0      0        Passive Slow  0        0x00

LCAP is configured as Active - Active between PA and Cisco switch.

Is this the normal ehaviour, and a fail over will turn the interface up, or is there a misconfiguration or an issue here.

Thanks

Re: LCAP down on Passive Firewal

OtakarKlier — Fri, 22 Mar 2019 18:09:05 GMT

Hello,

I may have missed it but are your PAN's Active/Passive or Active/Active regarding HA?

Please advise,

Re: LCAP down on Passive Firewal

MP18 — Fri, 22 Mar 2019 21:32:30 GMT

Seesm it is by design on PAssive LACP is down

Re: LCAP down on Passive Firewal

OtakarKlier — Sat, 23 Mar 2019 00:47:42 GMT

Hello,

In an active/passive HA model, the passive interfaces are shutdown.

Regards,

Re: LCAP down on Passive Firewal

AbdulRahman_Safwat — Sun, 24 Mar 2019 11:46:14 GMT

Thank you @OtakarKlier and @MP18 for the replys,

It is Active/Passive on the firewalls but LACP is Active on all components (PA HA and Switches).

Passive link state is auto and the physical interfaces are up on the replica but AE interfaces are down, and on the switch that is communicating with the passive it is suspended.

It seems that this is the normal behaviour, but will pre-negotiate turn it to up, or will it only show the partner's Mac address.

Thanks

Re: LCAP down on Passive Firewal

MP18 — Sun, 24 Mar 2019 17:11:42 GMT

as per my understanding pre-negotiate turn it to up.

Re: LCAP down on Passive Firewal

BPry — Sun, 24 Mar 2019 20:07:49 GMT

@AbdulRahman_Safwat,

Currently as you have it confiugured a failover would cause the switch and the firewall to go through the entire LACP negotiation process; as this process takes a small amount of time, traffic would be disrupted until LACP can actually form and the interfaces start passing traffic.

Pre-Negotiation will turn the interfaces online so that they can start passing traffic just as quickly as a normal interface following a failover.

Re: LCAP down on Passive Firewal

MP18 — Mon, 25 Mar 2019 17:18:07 GMT

Also In our setup we have interface in HA as auto so on passive PA they are green.

For LACP we do no have pre negotiation.

IF we enable pre negotiation for LACP that will make the interface on the passive PA as green?

Please confirm?

Re: LCAP down on Passive Firewal

jeremy.larsen — Mon, 25 Mar 2019 22:44:37 GMT

Yes. That's exactly what prenegotiation does. It "prenegotiates" the LACP EtherChannel (Ciscoeze language). LACPBDUs are passed but there is no "active firewall" traffic (ie - IPs/etc).