LCAP down on Passive Firewal

LCAP down on Passive Firewal

Hello team,

 

In an HA environment, with pre-negotiation for LCAP disabled , but passive link state set to "Auto" in the HA configuration, if all physical interfaces show as up, is the AE (Aggregated Interface) supposed to be up or down,  as the partner (Cisco Switch) is showing suspended on the LCAP interface.

Also from PA the CLi is showing no partner:

AE group: ae1
Members:          Bndl Rx state       Mux state  Sel state
  ethernet1/1    no   Defaulted      Detached   Unselected(Link down)
  ethernet1/2    no   Port Disabled  Detached   Unselected(Link down)
Status:           Enabled
Mode:             Active
Rate:             Slow
Max-port:         8
Fast-failover:    Disabled
Pre-negotiation:  Disabled
Local:            System Priority: 32768
                  System MAC:      00:56:4c:60:32:45
                  Key:             19
Partner:          System Priority: 0
                  System MAC:      00:00:00:00:00:00
                  Key:             0
Port State
--------------------------------------------------------------------------------
Interface                 Port                                
              Number Priority  Mode    Rate  Key      State
--------------------------------------------------------------------------------
ethernet1/1   74     32768    Active  Slow  19       0x45
Partner        0      0        Passive Slow  0        0x00

ethernet1/2   75     32768    Active  Slow  19       0x45
Partner        0      0        Passive Slow  0        0x00

LCAP is configured as Active - Active between PA and Cisco switch.

Is this the normal ehaviour, and a fail over will turn the interface up, or is there a misconfiguration or an issue here.

 

Thanks 

L7 Applicator

Re: LCAP down on Passive Firewal

Hello,

I may have missed it but are your PAN's Active/Passive or Active/Active regarding HA?

 

Please advise,

 

 

L4 Transporter

Re: LCAP down on Passive Firewal

Seesm it is by design on PAssive LACP is down 

L7 Applicator

Re: LCAP down on Passive Firewal

Hello,

In an active/passive HA model, the passive interfaces are shutdown.

 

Regards,

Re: LCAP down on Passive Firewal

Thank you @Otakar.Klier and @MP18 for the replys,

 

It is Active/Passive on the firewalls but LACP is Active on all components (PA HA and Switches).

Passive link state is auto and the physical interfaces are up on the replica but AE interfaces are down, and on the switch that is communicating with the passive it is suspended.

It seems that this is the normal behaviour, but will pre-negotiate turn it to up, or will it only show the partner's Mac address.

 

Thanks

L4 Transporter

Re: LCAP down on Passive Firewal

as per my understanding pre-negotiate turn it to up.

L7 Applicator

Re: LCAP down on Passive Firewal

@AbdulRahman_Safwat,

Currently as you have it confiugured a failover would cause the switch and the firewall to go through the entire LACP negotiation process; as this process takes a small amount of time, traffic would be disrupted until LACP can actually form and the interfaces start passing traffic. 

Pre-Negotiation will turn the interfaces online so that they can start passing traffic just as quickly as a normal interface following a failover. 

L4 Transporter

Re: LCAP down on Passive Firewal

Also In our setup we have interface in HA as auto so on passive PA they are green.

For LACP we do no have pre negotiation.

 

IF we enable pre negotiation for LACP that will make the interface on the passive PA as green?

 

Please confirm?

L4 Transporter

Re: LCAP down on Passive Firewal

Yes.  That's exactly what prenegotiation does.  It "prenegotiates" the LACP EtherChannel (Ciscoeze language).  LACPBDUs are passed but there is no "active firewall" traffic (ie - IPs/etc).

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!