LACP from Palo 3020 Active - Passive to Cisco switch

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LACP from Palo 3020 Active - Passive to Cisco switch

L1 Bithead

Hi All

After some help from the Guru's.

I am trying to configure LACP between PA 3020 Active / Passive and cisco switch.

I have created the AE group interface Inside with the ip address.

I have added 2 interfaces to the AE Group on each FW.

 

I have created a portchannel on the Cisco switch and put the 2 ports from the Active Palo and 2 ports from the Passive Palo into the same channel-group.

 

The Active FW is all good and working fine, the Passive FW is connected but the Port channel is suspended on the cisco end for the Passive FW conected ports.

 

Is this correct?

I am worried if the Active FW fails over and the Passive goes active its ports are suspended so wont come online.

 

Any advise greatly appreciated 

 

Simon

1 accepted solution

Accepted Solutions

L7 Applicator

I did something similar to this in the lab.  You need 2 port channels on the Cisco switch.  One for the Active firewall, and the other for the Passive firewall.  

 

If you set "Passive Link State" to Auto in the High Availability configuration, then you should be able to enable pre-negotiation for the passive firewall.  At this point, the Cisco switch should show both port-channels up and ready to go - reducing failover time.  

 

 

View solution in original post

7 REPLIES 7

L7 Applicator

Hi @Simon.Cardman

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/high-availability/configure-active-p...

 

Did you configure your HA pair according to the mentionned documentation? Specially Step 12 and 14?

 

Regards,

Remo

Hi Remo

Yes, just double checked and it is the same.

I wonder whether this is the norm, I am new to Palo so not done this before.

All interfaces are identical.

Hopefully someone has done this before and will advise.

 

thanks

 

Simon

What PAN-OS Version are you using?

7.1.4-h2

@Simon.Cardman,

Good lord update your build. There have been multiple fixes specific to pre-negotiation in later 7.1.* and you are running a very early build of 7.1 that most didn't run in production enviroments to begin with. 

The suspended ports don't really bring to much of a worry to me; they aren't going to be active in the same LACP group because the ports themselves are droping all traffic that heads there way. So as soon as an HA event is triggered the passive firewall stops dropping the packets and the Cisco will move them out of a suspended state and into an active state. You'll see the links that are currently active going to your currently active firewall move into a suspended state shortly after, as they'll start dropping all packets as well. 

The interesting thing with the way you are configured is that you've put everything into the same PO on your Cisco gear. I would say this isn't really a common configuration in an HA enviroment as the gear wouldn't be plugged into the same switch on your active and passive firewalls. Usually you would have the active gear on one switch and the passive on another to prevent a switch failure taking out your entire network. 

 

tldr: Yes this is expected and perfectly fine, since the passive firewall is dropping all incoming packets to it's ports the Cisco will move the ports into a suspended state. Once the failover takes place the ports will start accepting traffic and the Cisco side of things will move to active. Please update your firewall 😉

 

L7 Applicator

I did something similar to this in the lab.  You need 2 port channels on the Cisco switch.  One for the Active firewall, and the other for the Passive firewall.  

 

If you set "Passive Link State" to Auto in the High Availability configuration, then you should be able to enable pre-negotiation for the passive firewall.  At this point, the Cisco switch should show both port-channels up and ready to go - reducing failover time.  

 

 

@jvalentine

 

I wasn't sure whether they had to be same or different group. This could be the issue.

A lack of documentation for the type of network vendor you are connecting to. But thank you for your advice.

 

@BPry

Agreed, need to upgrade at some point, but global company so we all upgrade together. The Cisco side is VSS cluster so one logical switch but two physical switches. Thanks for your input.

  • 1 accepted solution
  • 14410 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!