03-19-2015 07:30 AM
My tested design has been to LACP between the same LAG (i.e. AE0) on the PA primary and secondary units, to different LAG entries (ie. AE0, AE1) on the outside and inside equipment (Both Juniper). I have one device though (Juniper SRX) that has VPN tunnel terminations on it that have to be declared as the end-points, so I can't use different LAG entries to each of the Primary and Secondary PA. So I put the Primary and Secondary PA connection points (AE0) into the same LAG (AE0) on the Juniper SRX under LACP and it runs with just the single connection ok. BUT, I tested the HA failover and the secondary PA failed to establish the LACP connection with the Juniper SRX and faulted the link.
How can I attach a HA pair of PA's to a single device if LACP isn't going to work? Is this a bug or do I need to not run LACP?
2015-03-19T06:49:50-04:00 10.10.24.201 fw user.crit 1,2015/03/19 06:49:50,007801001168,SYSTEM,lacp,0,2015/03/19 06:49:50,,unresponsive,ethernet1/3,0,0,general,critical,LACP interface ethernet1/3 moved out of AE-group ae4(peer is not responding to new LACP connection),90118,0x8000000000000000
04-09-2015 07:22 AM
I eventually found this document on LACP:
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html
the very last paragraph listed this statement which worked in my scenario and allowed the single SRX
tunnel to be LACP'd across both primary and secondary PA HA devices.
"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"
03-22-2015 05:38 AM
On a secondary device in an Active/Passive cluster all the interfaces are "down" and do not pass any traffic until they become the active node. If your design requires that the secondary interfaces be up, then you will need to use an Active/Active design and be careful about creating layer 2 loops.
Have you seen the reference design for using Active/Passive Palo Alto firewalls with AE bundles?
this is found on page 80 and following in the design guide. This may be what you are looking for in your network.
Designing Networks with Palo Alto Networks Firewalls
Diagrams and Tested Configurations
03-24-2015 06:10 AM
I don't need the secondary device interfaces to be up, I'm only looking for the correct configuration to make the secondary device work during a fail over with the outside device over LACP.
I've read those design guides, but they seem to skip many Layer-2 scenarios and were written pre-LACP support.
Basically when I have the PA primary/secondary connected to separate AE's on an outside device, HA works fine.
In this one situation I have the PA primary/secondary connected to separate interfaces on the same AE of the outside device, and the HA failed. I need to find out if it's a valid setup and configuration, or if LACP won't work and I have to change it to a non-LACP LAG.
04-09-2015 07:22 AM
I eventually found this document on LACP:
https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html
the very last paragraph listed this statement which worked in my scenario and allowed the single SRX
tunnel to be LACP'd across both primary and secondary PA HA devices.
"When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover"
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
