This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Passive device aggregate interface down

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Passive device aggregate interface down

Go to solution
Jafar_Hussain
L4 Transporter

‎10-11-2021 05:39 AM

I have the firewall 3220 model in the 9.1.11 version in HA mode.

I can see all the aggregate interface in passive firewall is showing down. i want to know is this expected behaviour or not because I checked the below KB for some mode it is expected behaviour.

 

Aggregate Interface Down on Passive Device - Knowledge Base - Palo Alto Networks

 

moreover, my concern is at the last time the failover happen the passive device was not accessible as well as the traffic has stopped.

 

0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
Jafar_Hussain
L4 Transporter
In response to Jafar_Hussain

‎10-26-2021 06:26 AM

@BPry 

The device was faulty. we replace the device.

 

View solution in original post

0 Likes Likes
4 REPLIES 4

Go to solution
BPry
Cyber Elite
Cyber Elite

‎10-12-2021 09:18 PM

@Jafar_Hussain,

By default, this is expected on a passive device. As the article that you have linked mentions, you can get the passive node to participate in LACP pre-negotiation by enabling it on the AE interface/s by going to the lamp tab and setting passive-pre-negotiation. 

This allows the passive interfaces to participate in LACP communication, but still drops the rest of the traffic on the passive node. 

Without knowing more about your network and configuration, it's hard to say why the failover would make the passive node unaccessible and cause all of your traffic to stop. You could have run into an LACP issue and your switch could have blocked the ports, or a number of other things that could cause outages. 

0 Likes Likes

Go to solution
Jafar_Hussain
L4 Transporter
In response to BPry

‎10-13-2021 04:28 AM - edited ‎10-13-2021 04:30 AM

@BPry 

 

I have configured AE1 group with interface ethernet 1/17 and ethernet 1/18

once I took the output for the active and passive that time I found the key for the partner I am not able to see on the passive firewall. below is the output:-

 

Active firewall output:-

***************************************************

AE group: ae1

Members:          Bndl Rx state       Mux state  Sel state

  ethernet1/17    yes  Current        Tx_Rx      Selected

  ethernet1/18    yes  Current        Tx_Rx      Selected

Status:           Enabled

Mode:             Active

Rate:             Slow

Max-port:         8

Fast-failover:    Disabled

Pre-negotiation:  Enabled

Local:            System Priority: 32768

                  System MAC:      x:x:x:x

                  Key:             16

Partner:          System Priority: 32768

                  System MAC:      x:x:x:x

                  Key:             11

Port State

--------------------------------------------------------------------------------

Interface                 Port

              Number Priority  Mode    Rate  Key      State

--------------------------------------------------------------------------------

ethernet1/17   80     32768    Active  Slow  16       0x3D

Partner        306    32768    Active  Slow  11       0x3D

 

ethernet1/18   81     32768    Active  Slow  16       0x3D

Partner        562    32768    Active  Slow  11       0x3D

 

Port Counters

--------------------------------------------------------------------------------

Interface         LACPDUs         Marker      Marker Response       Error

              Sent     Recv     Sent Recv     Sent     Recv     Unknown  Illegal

--------------------------------------------------------------------------------

ethernet1/17   111857   120904   0    0        0        0        0        0

ethernet1/18   111855   120931   0    0        0        0        0        0

*************************************************************************************

 

LACP output of the passive firewall"-

 

***********************************************************

AE group: ae1

Members:          Bndl Rx state       Mux state  Sel state

  ethernet1/17    no   Defaulted      Detached   Unselected(Peer not detected)

  ethernet1/18    no   Defaulted      Detached   Unselected(Peer not detected)

Status:           Enabled

Mode:             Active

Rate:             Slow

Max-port:         8

Fast-failover:    Disabled

Pre-negotiation:  Enabled

Local:            System Priority: 32768

                  System MAC:      x:x:x:x

                  Key:             16

Partner:          System Priority: 0

                  System MAC:      00:00:00:00:00:00

                  Key:             0

Port State

--------------------------------------------------------------------------------

Interface                 Port

              Number Priority  Mode    Rate  Key      State

--------------------------------------------------------------------------------

ethernet1/17   80     32768    Active  Slow  16       0x45

Partner        0      0        Passive Slow  0        0x00

 

ethernet1/18   81     32768    Active  Slow  16       0x45

Partner        0      0        Passive Slow  0        0x00

 

Port Counters

--------------------------------------------------------------------------------

Interface         LACPDUs         Marker      Marker Response       Error

              Sent     Recv     Sent Recv     Sent     Recv     Unknown  Illegal

--------------------------------------------------------------------------------

ethernet1/17   111943   0        0    0        0        0        0        0

ethernet1/18   111874   0        0    0        0        0        0        0

 

*************************************************************************************************

 

On the passive firewall output for the AE1 :- I noticed that the prenegotiation is enabled but I didn't get the partner MAC address even I didn't get the partner key for the ethernet 1/17 and ethernet 1/18.

 

Jafar_Hussain_1-1634124448926.png

 

 

One more point I highlight in the port counter LACPDU's the packets is sending but didn't receive any output.

Jafar_Hussain_0-1634124358897.png

I would like to know, is this expected or do I need to check something on this.

 

0 Likes Likes

Go to solution
Jafar_Hussain
L4 Transporter
In response to Jafar_Hussain

‎10-26-2021 06:26 AM

@BPry 

The device was faulty. we replace the device.

 

0 Likes Likes

Go to solution
Maria-Victoria
L1 Bithead
In response to Jafar_Hussain

‎04-22-2022 09:29 AM

hello is possible to know how was checked that the fw was faulty? I have the same problem

0 Likes Likes
  • 1 accepted solution
  • 6613 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks