We have a couple instances in our environment where we are using VWire where port-channels are located on either side of the Palo Alto device. Also, in this cases, we are running a Palo Alto cluster in Active/Passive HA.
In all cases that I have tried, either with LACP (using pre-negotiation) as well as non-LACP (channel mode on), I am unable get any configuration to work. As soon as the second port in the channel comes up on the passive Palo Alto firewall, traffic stops routing.
The most simple configuration is this:
Cisco 6509 #1 G1/3 ---> Port Channel ( Palo Alto VWire Active ) Port Channel <--- G0/0 Router #1
Cisco 6509 #1 G2/3 ---> Port Channel ( Palo Alto VWire Passive ) Port Channel <--- G0/1 Router #1
In channel mode on, it appears to the switch that both of the ports are participating in the Port Channel, however obviously only one of them G0/0 is up as the other Palo Alto is in Passive mode (Auto) where the port is brought up but no traffic is forwarding. If i shut down the second port in the Port Channel, traffic begins routing as normal.
Does anyone here have any expereince with this and is this even feasible in an Active/Passive configuration? I really need that sub second response that you get in a Layer 3 Active / Passive configuration. I have tested channel mode on PAN-OS 7.0.8 and LACP pre-negotiation on PAN-OS 7.1.4h2 both with the same results.
On gig1/3 and gig2/3, do you have 'no switchport' configured? It almost sounds like bpdus are getting across the HA link and being sent back down the passive link.
Have you done a packet capture on the vwire interface during the port channel failure facing gi2/3 to see if anything is egressing?
This is a L2 VWire, not a L3 implementation. The Palo Altos sit as a bump-on-the-wire device transparently. They don't participate directly in any port-channel configurations.
I too would be interested to know if it is possible to use port-channels as a resilience model in an Active-Passive Palo Alto environment. Does anyone do this, or know whether it is possible?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!