This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

LACP in HA issue

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LACP in HA issue

niuk
L3 Networker

‎06-25-2016 05:47 AM

I have a pair of PAN 5060 (v.7.1.2) firewalls  in HA Passive/Active connected with LACP to pair of core Nexus 9000 switches. From time to time (every hour or few) connectivity to active firewall is faling (can't ping firewall LACP L3 interface ip address from core) for a few sec. When it happens I noticed presence of MAC adddress of firewall on the core switch where passive HA cluster member is connected but failover is not a case here (there is neither no reason not trace of failover).  When connectivity is restored I can see MAC address of firewall back on core switch where active firewall is connected.

1 person had this problem.
0 Likes Likes
6 REPLIES 6

nextgenhappines
L4 Transporter

‎06-25-2016 06:12 PM

1.   Any pattern/specific time frame when does this issue happen?

1.   Have you try to run continue ping from a host behind the firewall to outside of the firewall?

2.   Have you try to turn off LACP on the firewall and 9K ?

 

-E

0 Likes Likes

niuk
L3 Networker
In response to nextgenhappines

‎07-03-2016 04:17 AM

No specific time frame, every hour or few. I've not try to turn off LACP neither ping from host behind the firewall to outside of the firewall. I was advised to trigger a GARP and catpure it. 

0 Likes Likes

pulukas
L7 Applicator
In response to niuk

‎07-03-2016 04:39 AM

Can you confirm that spanning tree is not enabled on the Nexus ports and potentially moving to blocking on the active link port.

 

If there is no spanning tree, then TAC is correct no mac migration should occur outside of a bug in the PanOS causing the passive device to arp this address.  the packet captures should confirm the exact behavior.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes

niuk
L3 Networker
In response to pulukas

‎07-06-2016 05:23 AM

Spanning tree is enabled on switch for that vlan where firewalls lives in. But there was no changes of active ports when firewall MAC appeared (on switch where Passive is connected)

0 Likes Likes

OtakarKlier
Cyber Elite
Cyber Elite
In response to niuk

‎07-08-2016 02:23 PM

Hello,

I agree with pulukas, try disabling spanning tree on just those ports where the PAN's are connected and see if that resolves the issue.

 

Regards,

0 Likes Likes

pulukas
L7 Applicator
In response to niuk

‎07-10-2016 04:01 AM

If there is no spanning tree port status change, then this does have to be a bug.  The mac move should not occur in that scenario.

Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP)
ACE PanOS 6; ACE PanOS 7; ASE 3.0; PSE 7.0 Foundations & Associate in Platform; Cyber Security; Data Center
0 Likes Likes
  • 4086 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks