LACP and HA pair

davis@udel.edu · ‎03-19-2015

My tested design has been to LACP between the same LAG (i.e. AE0) on the PA primary and secondary units, to different LAG entries (ie. AE0, AE1) on the outside and inside equipment (Both Juniper). I have one device though (Juniper SRX) that has VPN tunnel terminations on it that have to be declared as the end-points, so I can't use different LAG entries to each of the Primary and Secondary PA. So I put the Primary and Secondary PA connection points (AE0) into the same LAG (AE0) on the Juniper SRX under LACP and it runs with just the single connection ok. BUT, I tested the HA failover and the secondary PA failed to establish the LACP connection with the Juniper SRX and faulted the link.

How can I attach a HA pair of PA's to a single device if LACP isn't going to work? Is this a bug or do I need to not run LACP?

2015-03-19T06:49:50-04:00 10.10.24.201 fw user.crit 1,2015/03/19 06:49:50,007801001168,SYSTEM,lacp,0,2015/03/19 06:49:50,,unresponsive,ethernet1/3,0,0,general,critical,LACP interface ethernet1/3 moved out of AE-group ae4(peer is not responding to new LACP connection),90118,0x8000000000000000

davis@udel.edu · ‎04-09-2015

I eventually found this document on LACP:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html

the very last paragraph listed this statement which worked in my scenario and allowed the single SRX

tunnel to be LACP'd across both primary and secondary PA HA devices.

"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"

View solution in original post

pulukas · ‎03-22-2015

On a secondary device in an Active/Passive cluster all the interfaces are "down" and do not pass any traffic until they become the active node. If your design requires that the secondary interfaces be up, then you will need to use an Active/Active design and be careful about creating layer 2 loops.

Have you seen the reference design for using Active/Passive Palo Alto firewalls with AE bundles?

this is found on page 80 and following in the design guide. This may be what you are looking for in your network.

Designing Networks with Palo Alto Networks Firewalls

Diagrams and Tested Configurations

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center

davis@udel.edu · ‎03-24-2015

I don't need the secondary device interfaces to be up, I'm only looking for the correct configuration to make the secondary device work during a fail over with the outside device over LACP.

I've read those design guides, but they seem to skip many Layer-2 scenarios and were written pre-LACP support.

Basically when I have the PA primary/secondary connected to separate AE's on an outside device, HA works fine.

In this one situation I have the PA primary/secondary connected to separate interfaces on the same AE of the outside device, and the HA failed. I need to find out if it's a valid setup and configuration, or if LACP won't work and I have to change it to a non-LACP LAG.

davis@udel.edu · ‎04-09-2015

I eventually found this document on LACP:

https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html

the very last paragraph listed this statement which worked in my scenario and allowed the single SRX

tunnel to be LACP'd across both primary and secondary PA HA devices.

"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"

Unlock your full community experience!

LACP and HA pair

LACP and HA pair

Show your appreciation!