This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Port Channels in a Active / Passive VWire Environment

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Port Channels in a Active / Passive VWire Environment

mlinsemier
L4 Transporter

‎11-04-2016 07:47 AM - edited ‎11-04-2016 07:49 AM

We have a couple instances in our environment where we are using VWire where port-channels are located on either side of the Palo Alto device.  Also, in this cases, we are running a Palo Alto cluster in Active/Passive HA.

 

In all cases that I have tried, either with LACP (using pre-negotiation) as well as non-LACP (channel mode on), I am unable get any configuration to work.  As soon as the second port in the channel comes up on the passive Palo Alto firewall, traffic stops routing. 

 

The most simple configuration is this:

 

 Cisco 6509 #1 G1/3 ---> Port Channel ( Palo Alto VWire Active ) Port Channel <--- G0/0 Router #1

 Cisco 6509 #1 G2/3 ---> Port Channel ( Palo Alto VWire Passive ) Port Channel <--- G0/1 Router #1

 

In channel mode on, it appears to the switch that both of the ports are participating in the Port Channel, however obviously only one of them G0/0 is up as the other Palo Alto is in Passive mode (Auto) where the port is brought up but no traffic is forwarding.  If i shut down the second port in the Port Channel, traffic begins routing as normal.

 

Does anyone here have any expereince with this and is this even feasible in an Active/Passive configuration?  I really need that sub second response that you get in a Layer 3 Active / Passive configuration.  I have tested channel mode on PAN-OS 7.0.8 and LACP pre-negotiation on PAN-OS 7.1.4h2 both with the same results.

 

Matt

 

0 Likes Likes
4 REPLIES 4

RFalconer
L3 Networker

‎11-04-2016 11:14 AM

On gig1/3 and gig2/3, do you have 'no switchport' configured? It almost sounds like bpdus are getting across the HA link and being sent back down the passive link.

Have you done a packet capture on the vwire interface during the port channel failure facing gi2/3 to see if anything is egressing?

0 Likes Likes

mlinsemier
L4 Transporter
In response to RFalconer

‎11-04-2016 03:06 PM

This is a L2 VWire, not a L3 implementation.  The Palo Altos sit as a bump-on-the-wire device transparently.  They don't participate directly in any port-channel configurations.  

0 Likes Likes

epeeler
L2 Linker
In response to mlinsemier

‎09-29-2017 07:31 AM

Did you ever get a resolution to this?

0 Likes Likes

TomMeadows
L2 Linker
In response to mlinsemier

‎10-01-2017 02:55 AM

I too would be interested to know if it is possible to use port-channels as a resilience model in an Active-Passive Palo Alto environment. Does anyone do this, or know whether it is possible?

 

Thanks,

0 Likes Likes
  • 3971 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks