HA on aggregated interface

Reply
L4 Transporter

HA on aggregated interface

We don't have a qsfp module yet for our core switchse yet, so i am trying to use regular 10G interfaces in aggregate ethernet type HA.

But neither Panorama nor the firewall iself seems to give the option for aggreagate interface in the dropdown of HA2 settings. If i set the interface indvidually to HA, I can see that option in both places.

 

 

show interface ae5

--------------------------------------------------------------------------------
Name: ae5, ID: 20
Link status:
Runtime link speed/duplex/state: [n/a]/[n/a]/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address c4:24:56:7e:1b:14
Aggregate group members: 2
ethernet1/5 ethernet1/6
Operation mode: ha
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ae5, ID: 20
Operation mode: ha
Interface management profile: N/A
Service configured: LACP
Zone: N/A, virtual system: N/A
Adjust TCP MSS: no
Policing: no

 

ae5 20 0 ha 0 N/A

 

ae5 20 [n/a]/[n/a]/up c4:24:56:7e:1b:14

Tags (2)
L2 Linker

Re: HA on aggregated interface

Hello Raji,

 

Unless something has changed, I don't think that's an option.  Typically depending on the platform, there is an HSCI interconnect or HA2 port dedicated for HA2, and if that can't be used (I'm told that the HSCI port is designed to be directly connected in the same physical location and can't be connected through a switch or other equipment), then you have to setup an HA2 and HA2 Backup port by selecting the type as HA in the setup. 

 

These are individual ports dedicated for HA2 Primary and HA2 Backup purposes.   Your best bet is going to be to open a support case to find out for sure, but I have always been under the impression that HA2 is kind of special since it's dataplane sync, so it can only use 1 port or the other in an active/failover type of setup.

 

Thanks,

 

Brandon

L2 Linker

Re: HA on aggregated interface

Hello Raji,

 

I may have been incorrect in the previous post.  There is some information in another post that seems to imply that an AE for HA2 is ok. See this post by @reaper 

https://live.paloaltonetworks.com/t5/General-Topics/PA-5220-HA-Configuration/m-p/277657#M75478

 

Thanks, 

 

Brandon

L4 Transporter

Re: HA on aggregated interface

@BrandonWright Thanks for the information. What would be the cable type to use between the 2 HSCI ports. They will be sitting in 2 different buildings and layer 1 connection can be made only through OM3 - LC fiber.

Community Manager

Re: HA on aggregated interface

@BrandonWright  no, that's actually my mistake

 

aggregate interfaces are not supported on HA2, either a siongle dataplane interface for up to 10Gbps, or either 1 or 2 of the HSCI interfaces

 

I'll add a note to the other discussion post to rectify that mistake


Help the community: Like helpful comments and mark solutions
Reaper out
L2 Linker

Re: HA on aggregated interface

Hello Raji,

 

According to the Docs here: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/high-availability/ha-links-and-backup-link...

 

"The High Speed Chassis Interconnect (HSCI) ports are Layer 1 Quad Port SFP+ (QSFP+) interfaces used to connect two PA-7000 Series firewalls in an HA configuration. Each port is comprised of four 10 gigabit channels multiplexed for a combined speed of 40 gigabits."

 

"The traffic carried on the HSCI ports is raw layer-1, which is not routable or switchable; therefore the HSCI ports must be connected directly to each other. The HSCI-A on the first chassis connects directly to HSCI-A on the second chassis and HSCI-B on the first chassis connects to HSCI-B on the second chassis. This provides full 80 gigabit transfer rates. In software, both ports (HSCI-A and HSCI-B) are treated as one HA interface."

 

Since the newer hardware which contains the HSCI ports is probably very similar, I would assume the HSCI ports are QSFP ports, but again, the traffic on them is transferred via L1, so its not really an Ethernet transport between the devices.  That said, if these devices are in 2 different geographic locations and thus can't be connected via a DAC cable, or 40 Gig QSFPs with Fiber, I would assume you'll have to settle on utilizing a Data Plane port for HA2.

 

Thanks,

 

Brandon

L4 Transporter

Re: HA on aggregated interface

Does the HSCI port on 5250's support qsfp to 4sfp+ breakout cable.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!