03-25-2018 06:02 PM - edited 03-25-2018 06:04 PM
I would just like to verify the normal behavior of LACP in an Active/Passive HA setting.
Currently we have a pair of PA-3060 running 6.1.10 in active/passive. Both devices have LACP bundles towards a Cisco router.
On the active firewall the LACP negotiates properly but on the passive firewall the interfaces shows up but doesnt negotiate the LACP session. Also on the Cisco router the portchannel towards the passive firewall goes into a suspended state since it detects that LACP is not enabled on the remote port.
Is this the normal behavior? or is the prenegotiation of LACP for the passive firewall avaiable on this version or newer ones?
We are usually getting syslog messages from our Cisco router that the interfaces are down, and we need to check whether if its actually down or just connected to the passive firewall. We would like to minimize this false positives.
03-25-2018 07:08 PM
This was added in PAN-OS 7.1 and should work with the PA-3000 series. See the following documentation link from the PAN-OS 7.1 "new features guide":
In releases before 7.1, it is expected that the passive firewall will not have an active LACP session and won't attempt to negotiate LACP until after it becomes the active firewall.
03-25-2018 08:01 PM
03-25-2018 09:27 PM
When you said active links, is it the physical links or the aggregated interface?
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!