PA-7050 LACP causing delay in fail-over times

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-7050 LACP causing delay in fail-over times

L4 Transporter

We have an HA A/P PA-7050 cluster running 7.0.2 with QNPC (40G). The 40G links are bundled in AE1 with LACP enabled. We noticed during testing that LACP causes 8-10 ping loss during a fail-over event. With LACP disabled we have a 1 ping loss during fail-over events.

The LACP settings we have are the following:

 

lacp.jpg 

The remote side has been verified to reflect a compatible setup to this. Has anyone else noticed this issue?

1 accepted solution

Accepted Solutions

L4 Transporter

By playing with switch side LACP and Spanning-Tree timers, you can probably achieve 1-4 seconds failover.

 

Yet dont look for instant/no loss failover with LACP on PANOS, this may come in next release. If you need absolutly transparent/least impact then switch back to non-LACP aggregation.

View solution in original post

8 REPLIES 8

L4 Transporter

By playing with switch side LACP and Spanning-Tree timers, you can probably achieve 1-4 seconds failover.

 

Yet dont look for instant/no loss failover with LACP on PANOS, this may come in next release. If you need absolutly transparent/least impact then switch back to non-LACP aggregation.

Thanks cpainchaud,

 

We will be disabling LACP until this feature is optimized.

 

L4 Transporter

Hi,

 

I'm currently configuring an aggregate link (2x 10Gb) to a Nexus switch with LACP enabled and we have the exact same problem. What I don't understand is that the LACP negotiation seems fast enough, but then traffic does not go through for a couple of seconds. I'll check with the telecom team if they can tweak some timers as suggested.

 

Benjamin

Hi,

 

Have you heard something to that effect (instant/no loss failover in next release)?

 

Benjamin

As usual, this kind of info cannot be disclosed publicly. Please reach your PAN representative to obtain such aswer.

 

Very sorry about that 🙂

No problem, I'll check with my SE.

L4 Transporter

Exact same issue for me as well. Currently testing PA-7050 with Cisco Nexus, 2x10G LACP. With PAN HA interface as Auto vs. Shutdown, there is zero to one ping drop. I had tested even with voice call going on and there is no service disruption. With LACP, it is 8-12 ping drops. Even after the peer is detected, it takes time to actually pass the traffic. I will check with my SE as well.

 

What is the PAN LACP recommended mode, Active or Passive?

Do you have version 7.1.x ? There is a new feature to have LACP active on passive firewall node (Enable LACP active pre-negotiation for an HA passive firewall):

 

https://www.paloaltonetworks.com/documentation/71/pan-os/newfeaturesguide/networking-features/lacp-a...

 

  • 1 accepted solution
  • 5644 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!