03-22-2019 07:33 AM
Hello team,
In an HA environment, with pre-negotiation for LCAP disabled , but passive link state set to "Auto" in the HA configuration, if all physical interfaces show as up, is the AE (Aggregated Interface) supposed to be up or down, as the partner (Cisco Switch) is showing suspended on the LCAP interface.
Also from PA the CLi is showing no partner:
AE group: ae1
Members: Bndl Rx state Mux state Sel state
ethernet1/1 no Defaulted Detached Unselected(Link down)
ethernet1/2 no Port Disabled Detached Unselected(Link down)
Status: Enabled
Mode: Active
Rate: Slow
Max-port: 8
Fast-failover: Disabled
Pre-negotiation: Disabled
Local: System Priority: 32768
System MAC: 00:56:4c:60:32:45
Key: 19
Partner: System Priority: 0
System MAC: 00:00:00:00:00:00
Key: 0
Port State
--------------------------------------------------------------------------------
Interface Port
Number Priority Mode Rate Key State
--------------------------------------------------------------------------------
ethernet1/1 74 32768 Active Slow 19 0x45
Partner 0 0 Passive Slow 0 0x00
ethernet1/2 75 32768 Active Slow 19 0x45
Partner 0 0 Passive Slow 0 0x00LCAP is configured as Active - Active between PA and Cisco switch.
Is this the normal ehaviour, and a fail over will turn the interface up, or is there a misconfiguration or an issue here.
Thanks
03-22-2019 11:09 AM
Hello,
I may have missed it but are your PAN's Active/Passive or Active/Active regarding HA?
Please advise,
03-22-2019 02:32 PM
Seesm it is by design on PAssive LACP is down
03-22-2019 05:47 PM
Hello,
In an active/passive HA model, the passive interfaces are shutdown.
Regards,
03-24-2019 04:46 AM
Thank you @OtakarKlier and @MP18 for the replys,
It is Active/Passive on the firewalls but LACP is Active on all components (PA HA and Switches).
Passive link state is auto and the physical interfaces are up on the replica but AE interfaces are down, and on the switch that is communicating with the passive it is suspended.
It seems that this is the normal behaviour, but will pre-negotiate turn it to up, or will it only show the partner's Mac address.
Thanks
03-24-2019 10:11 AM
as per my understanding pre-negotiate turn it to up.
03-24-2019 01:07 PM
Currently as you have it confiugured a failover would cause the switch and the firewall to go through the entire LACP negotiation process; as this process takes a small amount of time, traffic would be disrupted until LACP can actually form and the interfaces start passing traffic.
Pre-Negotiation will turn the interfaces online so that they can start passing traffic just as quickly as a normal interface following a failover.
03-25-2019 10:18 AM
Also In our setup we have interface in HA as auto so on passive PA they are green.
For LACP we do no have pre negotiation.
IF we enable pre negotiation for LACP that will make the interface on the passive PA as green?
Please confirm?
03-25-2019 03:43 PM - edited 03-25-2019 03:44 PM
Yes. That's exactly what prenegotiation does. It "prenegotiates" the LACP EtherChannel (Ciscoeze language). LACPBDUs are passed but there is no "active firewall" traffic (ie - IPs/etc).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
