06-27-2019 05:57 PM
Hello,
We are getting below messages on and off for our HA pair.
eth 1/5 and 1/6 are part of the ae1 aggregate group
nego-fail,ethernet1/6,0,0,general,critical,"LACP interface ethernet1/6 moved out of AE-group ae1. Selection state Selected",450025,0x0,0,0,0,0,,FW-1
lacp-up,ethernet1/6,0,0,general,critical,"LACP interface ethernet1/6 moved into AE-group ae1.",450026,0x0,0,0,0,0,,FW-1
nego-fail,ethernet1/5,0,0,general,critical,"LACP interface ethernet1/5 moved out of AE-group ae1. Selection state Selected",161108,0x0,0,0,0,0,,FW-2
lacp-up,ethernet1/5,0,0,general,critical,"LACP interface ethernet1/5 moved into AE-group ae1.",161109,0x0,0,0,0,0,,FW-2
What exactly needs to be checked?
06-27-2019 08:18 PM
You need to look at the switch configuration and determine why LACP is failing to negotiate correctly. As it appears you are getting errors across both links the switch LACP configuration is likely either severly wrong or the uplinks were never actually configured to utilize LACP on the switch side of things.
06-28-2019 08:54 AM
Was it working?
Has somone changed something?
Rob
07-04-2019 05:28 PM - edited 07-04-2019 05:29 PM
07-04-2019 07:10 PM
Are you running both of these interfaces into the same AE group on the firewall, or is fw-1 and fw-2 utilizing port-channel 21 and port-channel 22 respectivly? From the configuration that you've shared it looks like you are only utilizing a sole interface to each firewall, at that point why are you using an AE at all? The configuration for the port-channel looks perfectly fine from the switch perspective, you could verify the LACP status by doing 'show lacp 21' and 'show lacp 22' to see why your members are dropping out, it should also be showing something within logging.
07-05-2019 12:22 AM
Yeah, are both ports on the switch connected to the AE1 on the firewall.
If so port Group 22 should not be used, both swithc ports in same group.
interface GigabitEthernet 1/21
description member port-channel 21
no ip address
!
port-channel-protocol LACP
port-channel 21 mode active
no shutdown
!
interface GigabitEthernet 1/22
description member port-channel 21
no ip address
interface Port-channel 21
description Port-Channel to fw-1 lan ae2
no ip address
switchport
vlt-peer-lag port-channel 21
no shutdown
07-05-2019 12:25 AM
Get that stable on the 1st of the HA pair.
Then create the second port group, and associated interfaces for the second firewall.
Rob
07-05-2019 12:27 AM
Also, from the logs..
Are you running ACTIVE-ACTIVE? It's not the "recomended" configuration.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
