For details on cookie usage on our site, read our Privacy Policy
LACP from Palo 3020 Active - Passive to Cisco switch
- LIVEcommunity
- Discussions
- General Topics
- LACP from Palo 3020 Active - Passive to Cisco switch
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-03-2017 05:36 AM
Hi All
After some help from the Guru's.
I am trying to configure LACP between PA 3020 Active / Passive and cisco switch.
I have created the AE group interface Inside with the ip address.
I have added 2 interfaces to the AE Group on each FW.
I have created a portchannel on the Cisco switch and put the 2 ports from the Active Palo and 2 ports from the Passive Palo into the same channel-group.
The Active FW is all good and working fine, the Passive FW is connected but the Port channel is suspended on the cisco end for the Passive FW conected ports.
Is this correct?
I am worried if the Active FW fails over and the Passive goes active its ports are suspended so wont come online.
Any advise greatly appreciated
Simon
Accepted Solutions
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-03-2017 12:27 PM
I did something similar to this in the lab. You need 2 port channels on the Cisco switch. One for the Active firewall, and the other for the Passive firewall.
If you set "Passive Link State" to Auto in the High Availability configuration, then you should be able to enable pre-negotiation for the passive firewall. At this point, the Cisco switch should show both port-channels up and ready to go - reducing failover time.
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-03-2017 05:58 AM
Did you configure your HA pair according to the mentionned documentation? Specially Step 12 and 14?
Regards,
Remo
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-03-2017 06:26 AM
Hi Remo
Yes, just double checked and it is the same.
I wonder whether this is the norm, I am new to Palo so not done this before.
All interfaces are identical.
Hopefully someone has done this before and will advise.
thanks
Simon
- Mark as New
- Subscribe to RSS Feed
- Permalink
08-03-2017 06:40 AM
What PAN-OS Version are you using?
- Failover but Cannot access WebGUI in General Topics
- physical cabling for HA Active/Active in Best Practice Assessment Discussions
- Global protect VPN disconnecting multiple times in GlobalProtect Discussions
- VM Series in Azure - Active/Passive or Active/Active in VM-Series in the Public Cloud
- MS-Azure - PA - active-active HA setup in VM-Series in the Public Cloud
Show your appreciation!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
