05-14-2019 04:14 AM
I have a strange issue.
I am setting up a new 850 HA pair A/P
To the outside world is a LACP Aggregate, connected to a HP switch.
All was going well when testing, I can ping a dummy device (laptop) fine on the outside switch from the firewall.
But when I connect to the firewall to the upstream router, pings to google all get ( DUP ).
If I connect the laptop to the upstream, pings are normal.
Our other old PA3020 cluster is fine?
05-14-2019 08:07 AM
So, in the diagram below.
LEFT SIDE
FW2 is connected on a Aggreagate to a HP Aruba, the Aruba has a standard LACP enabled trunk.
The aruba connects on to a Cisco Catalyst, and then onto the ISP router....
In this configuration, every packed seems to be reported as duplciate on the CLI.
If I remove one link the issue persists.
RIGHT SIDE
FW2 is connected on a single L3 to a HP Aruba.
The aruba connects on to a Cisco Catalyst, and then onto the ISP router....
In this configuration, every packed seems normal.
Conclusion
None so far, I am thinking it may be cosmetic.
05-14-2019 08:46 AM
1. What is FW1 doing?
2. We've had many issues with HP equipment, LACP and STP. I'd look into firmware upgrades to see if this fixes your issue. You could also try forcing the aggregate and disabling LACP (even though I wouldn't recommend this unless you are desperate).
05-14-2019 09:10 AM
FW1 is an exisiting install protecting a differnet network.
I need to do a little more testing but with a windows workstation on the trusted network I get a normal solid/clean ping response.
The HP stuff is not for production, there's a stack of them waiting to go out to branches so i Borrowed one whilst waiting on a pair of Catalysts to turn up.
Rob
05-14-2019 09:25 AM
Have you tried removing the Aruba from the equation and going straight to the Cisco? Is the Aruba even necessary?
05-15-2019 12:25 AM
I don't want to mess too much with the production Edge Switches, they are only set up with a single port not a port-group.
We will be migrating all ISP connections to the new Stacked Catalysts eventualy.
I will plug it back in today and monitor the connections.
Cheers
Rob
05-15-2019 06:35 AM
I only ask because I have had issues with HP switches and LACP in the past. I'm not as familiar with the newer Aruba/Procurves but I know they are going through some groing pains. If you are hunting around for switch brands, don't forget to check out Juniper.
05-17-2019 04:37 AM
My windows VM connected to the FW does not show a DUP.
My Linux VM connected to the FW does show a DUP.
It's got to be something with the ARUBA and it's LACP.... Wish the Cisco's would turn up.
Rob
05-31-2019 10:34 AM
Cisco C9200's turned up yesterday, got them stacked together and configured.
Moved the Palos from there test location to the rack with the cisco's..
Connected everything up in the expected way.
Ping to google..
17.1ms
17.1ms
etc..
Not a single DUPE super solid.
So thaks HP/ARUBA, another great product you have there..
Rob
06-03-2019 07:02 AM
No comment... HA!
Notice, there is no surprised look on this face. Sorry you had to deal with this. I really do feel your pain.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
