Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Any Packet Lost when Changeing Interface Type from HA to Aggregate (of HA type)

L2 Linker

We have an Active/Active PA-5050's in production with HA3 running on a single ethernet (1GB).

 

I need to know if there will be any packet lost (HA packet forwarding) if I change this interface from HA type to AE type/AE group (e.g. ae8). Considering that this aggregated group (ae8) has been already created and have another ethernet (1GB) already as a member up and running.

 

I have lab tested, making these changes on active-primary;

Changing the active/active config from ethernet interface to the new ae8

And also changing the old single HA3 ethernet interface to be the second member of this new ae8

Then commit on active-primary.

 

Config synced to peer, with no obvious evidence of interfaces going down or any change in firewalls states. Also, I had to change the active/active config from ethernet interface to the new ae8 on active-secondary and commit after above done.

 

Each of these two ethernet interfaces directly conencted to their peers on the other firewall.

 

Does it make sense to assume, there will be no packet lost on HA3 link or outage for customer during this process.

 

 

1 accepted solution

Accepted Solutions

I would not recommend doing this on a live environment outside a maintenance window

 

Since the HA cluster is Active/Active I assume you have plenty of asymmetrical sessions?

If you change the HA3 interface, this should not impact the firewall's ports or local processing, but this will temporarily interrupt the forwarding of packets over HA3 for remote processing.

In case of asymmetric routing, a lot of packetforwarding could be happening over the HA3 links which will negatively impact your active sessions.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

View solution in original post

3 REPLIES 3

L4 Transporter

I would suspect that there may be some traffic issues. Possibly for those sessions which are already established. I would suggest to give a try with some live traffic.

 

Firewall has to internally create a map of ports and ids to forward the traffic.

Also MAC address linked to HA3 ports will change.

 

It is possible that the existing packets or sessions might see some issue during the change.

 

You can assume this to be same as if you change a network port from a standalone to HA or AGG port.

 

If you run into issues with live traffic in your lab, I would suggest open a TAC case to investigate.

I would not recommend doing this on a live environment outside a maintenance window

 

Since the HA cluster is Active/Active I assume you have plenty of asymmetrical sessions?

If you change the HA3 interface, this should not impact the firewall's ports or local processing, but this will temporarily interrupt the forwarding of packets over HA3 for remote processing.

In case of asymmetric routing, a lot of packetforwarding could be happening over the HA3 links which will negatively impact your active sessions.

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

Indeed this will be done during an agreed change window with customer. I am planning to layout the steps in a way to minimize the outage or if possible eliminate it all together.

 

  • 1 accepted solution
  • 3847 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!