09-30-2015 08:15 AM
We have an HA A/P PA-7050 cluster running 7.0.2 with QNPC (40G). The 40G links are bundled in AE1 with LACP enabled. We noticed during testing that LACP causes 8-10 ping loss during a fail-over event. With LACP disabled we have a 1 ping loss during fail-over events.
The LACP settings we have are the following:
The remote side has been verified to reflect a compatible setup to this. Has anyone else noticed this issue?
09-30-2015 08:38 AM
By playing with switch side LACP and Spanning-Tree timers, you can probably achieve 1-4 seconds failover.
Yet dont look for instant/no loss failover with LACP on PANOS, this may come in next release. If you need absolutly transparent/least impact then switch back to non-LACP aggregation.
09-30-2015 08:38 AM
By playing with switch side LACP and Spanning-Tree timers, you can probably achieve 1-4 seconds failover.
Yet dont look for instant/no loss failover with LACP on PANOS, this may come in next release. If you need absolutly transparent/least impact then switch back to non-LACP aggregation.
09-30-2015 08:52 AM
Thanks cpainchaud,
We will be disabling LACP until this feature is optimized.
09-30-2015 09:01 AM - edited 09-30-2015 09:01 AM
Hi,
I'm currently configuring an aggregate link (2x 10Gb) to a Nexus switch with LACP enabled and we have the exact same problem. What I don't understand is that the LACP negotiation seems fast enough, but then traffic does not go through for a couple of seconds. I'll check with the telecom team if they can tweak some timers as suggested.
Benjamin
09-30-2015 09:03 AM
Hi,
Have you heard something to that effect (instant/no loss failover in next release)?
Benjamin
09-30-2015 09:05 AM
As usual, this kind of info cannot be disclosed publicly. Please reach your PAN representative to obtain such aswer.
Very sorry about that 🙂
09-30-2015 09:14 AM
No problem, I'll check with my SE.
10-05-2016 12:03 PM
Exact same issue for me as well. Currently testing PA-7050 with Cisco Nexus, 2x10G LACP. With PAN HA interface as Auto vs. Shutdown, there is zero to one ping drop. I had tested even with voice call going on and there is no service disruption. With LACP, it is 8-12 ping drops. Even after the peer is detected, it takes time to actually pass the traffic. I will check with my SE as well.
What is the PAN LACP recommended mode, Active or Passive?
10-07-2016 12:19 PM - edited 10-07-2016 12:21 PM
Do you have version 7.1.x ? There is a new feature to have LACP active on passive firewall node (Enable LACP active pre-negotiation for an HA passive firewall):
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
