07-22-2019 03:00 PM
We don't have a qsfp module yet for our core switchse yet, so i am trying to use regular 10G interfaces in aggregate ethernet type HA.
But neither Panorama nor the firewall iself seems to give the option for aggreagate interface in the dropdown of HA2 settings. If i set the interface indvidually to HA, I can see that option in both places.
show interface ae5
--------------------------------------------------------------------------------
Name: ae5, ID: 20
Link status:
Runtime link speed/duplex/state: [n/a]/[n/a]/up
Configured link speed/duplex/state: auto/auto/auto
MAC address:
Port MAC address c4:24:56:7e:1b:14
Aggregate group members: 2
ethernet1/5 ethernet1/6
Operation mode: ha
Untagged sub-interface support: no
--------------------------------------------------------------------------------
Name: ae5, ID: 20
Operation mode: ha
Interface management profile: N/A
Service configured: LACP
Zone: N/A, virtual system: N/A
Adjust TCP MSS: no
Policing: no
ae5 20 0 ha 0 N/A
ae5 20 [n/a]/[n/a]/up c4:24:56:7e:1b:14
07-23-2019 12:53 PM
Hello Raji,
Unless something has changed, I don't think that's an option. Typically depending on the platform, there is an HSCI interconnect or HA2 port dedicated for HA2, and if that can't be used (I'm told that the HSCI port is designed to be directly connected in the same physical location and can't be connected through a switch or other equipment), then you have to setup an HA2 and HA2 Backup port by selecting the type as HA in the setup.
These are individual ports dedicated for HA2 Primary and HA2 Backup purposes. Your best bet is going to be to open a support case to find out for sure, but I have always been under the impression that HA2 is kind of special since it's dataplane sync, so it can only use 1 port or the other in an active/failover type of setup.
Thanks,
Brandon
07-23-2019 01:10 PM
Hello Raji,
I may have been incorrect in the previous post. There is some information in another post that seems to imply that an AE for HA2 is ok. See this post by @reaper
https://live.paloaltonetworks.com/t5/General-Topics/PA-5220-HA-Configuration/m-p/277657#M75478
Thanks,
Brandon
07-23-2019 01:51 PM
@BrandonWright Thanks for the information. What would be the cable type to use between the 2 HSCI ports. They will be sitting in 2 different buildings and layer 1 connection can be made only through OM3 - LC fiber.
07-23-2019 02:50 PM
@BrandonWright no, that's actually my mistake
aggregate interfaces are not supported on HA2, either a siongle dataplane interface for up to 10Gbps, or either 1 or 2 of the HSCI interfaces
I'll add a note to the other discussion post to rectify that mistake
07-24-2019 10:41 AM
Hello Raji,
According to the Docs here: https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-admin/high-availability/ha-links-and-backup-link...
"The High Speed Chassis Interconnect (HSCI) ports are Layer 1 Quad Port SFP+ (QSFP+) interfaces used to connect two PA-7000 Series firewalls in an HA configuration. Each port is comprised of four 10 gigabit channels multiplexed for a combined speed of 40 gigabits."
"The traffic carried on the HSCI ports is raw layer-1, which is not routable or switchable; therefore the HSCI ports must be connected directly to each other. The HSCI-A on the first chassis connects directly to HSCI-A on the second chassis and HSCI-B on the first chassis connects to HSCI-B on the second chassis. This provides full 80 gigabit transfer rates. In software, both ports (HSCI-A and HSCI-B) are treated as one HA interface."
Since the newer hardware which contains the HSCI ports is probably very similar, I would assume the HSCI ports are QSFP ports, but again, the traffic on them is transferred via L1, so its not really an Ethernet transport between the devices. That said, if these devices are in 2 different geographic locations and thus can't be connected via a DAC cable, or 40 Gig QSFPs with Fiber, I would assume you'll have to settle on utilizing a Data Plane port for HA2.
Thanks,
Brandon
08-07-2019 06:54 PM
Does the HSCI port on 5250's support qsfp to 4sfp+ breakout cable.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
