Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LACP and HA pair

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LACP and HA pair

L1 Bithead

My tested design has been to LACP between the same LAG (i.e. AE0) on the PA primary and secondary units, to different LAG entries (ie. AE0, AE1) on the outside and inside equipment (Both Juniper).  I have one device though (Juniper SRX) that has VPN tunnel terminations on it that have to be declared as the end-points, so I can't use different LAG entries to each of the Primary and Secondary PA.  So I put the Primary and Secondary PA connection points (AE0) into the same LAG (AE0) on the Juniper SRX under LACP and it runs with just the single connection ok.   BUT, I tested the HA failover and the secondary PA failed to establish the LACP connection with the Juniper SRX and faulted the link.

How can I attach a HA pair of PA's to a single device if LACP isn't going to work?  Is this a bug or do I need to not run LACP?

2015-03-19T06:49:50-04:00 10.10.24.201 fw user.crit 1,2015/03/19 06:49:50,007801001168,SYSTEM,lacp,0,2015/03/19 06:49:50,,unresponsive,ethernet1/3,0,0,general,critical,LACP interface ethernet1/3 moved out of AE-group ae4(peer is not responding to new LACP connection),90118,0x8000000000000000

1 accepted solution

Accepted Solutions

L1 Bithead

I eventually found this document on LACP:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html

the very last paragraph listed this statement which worked in my scenario and allowed the single SRX

tunnel to be LACP'd across both primary and secondary PA HA devices.

"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"

View solution in original post

3 REPLIES 3

L7 Applicator

On a secondary device in an Active/Passive cluster all the interfaces are "down" and do not pass any traffic until they become the active node.  If your design requires that the secondary interfaces be up, then you will need to use an Active/Active design and be careful about creating layer 2 loops.

Have you seen the reference design for using Active/Passive Palo Alto firewalls with AE bundles?

this is found on page 80 and following in the design guide.  This may be what you are looking for in your network.

Designing Networks with Palo Alto Networks Firewalls

Diagrams and Tested Configurations

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

I don't need the secondary device interfaces to be up, I'm only looking for the correct configuration to make the secondary device work during a fail over with the outside device over LACP.

I've read those design guides, but they seem to skip many Layer-2 scenarios and were written pre-LACP support.

Basically when I have the PA primary/secondary connected to separate AE's on an outside device, HA works fine.

In this one situation I have the PA primary/secondary connected to separate interfaces on the same AE of the outside device, and the HA failed.  I need to find out if it's a valid setup and configuration, or if LACP won't work and I have to change it to a non-LACP LAG.

L1 Bithead

I eventually found this document on LACP:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html

the very last paragraph listed this statement which worked in my scenario and allowed the single SRX

tunnel to be LACP'd across both primary and secondary PA HA devices.

"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"

  • 1 accepted solution
  • 9911 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!