Problems with Aggregate Ethernet in HA configuration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Problems with Aggregate Ethernet in HA configuration

L1 Bithead

Hi all,

i'm setting up two PA 5020 in Active/Passive HA and I'm having some problems with Aggregate interfaces. I'm using 4 ethernet interfaces per device:

ae.1 - trust zone (two physical ethernet interfaces)

ae.2 - untrust zone (two physical ethernet interfaces)

The device is operating in L3 mode with static routes. If I use a single device, all works flawlessly.

If i try to enable HA i start getting packet loss (>5-10% in a LAN environment).

If i try to shutdown one of the ports for each port-channel, i'm still getting packet loss.

I've also tried to reconfigure the HA pair without Aggregate interfaces and in this case all works perfectly.

I really cannot undestand why i'm getting so much packet loss, it doesn't seem to be just an aggregate ethernet issue, because with a single device it works... it also doesn't seem to be only an ha issue, because in ha without aggregate ethernet interfaces it just works perfectly... but when i'm using both ae and ha it just blows up 😞

On the switch side, all seems ok, no errors, nothing strange.

Here some configuration snippets, maybe it's just a stupid issue... i'm a newb with this gear 😉

The switch configuration ( cisco 3750 right now, also tried with a 6509 with the same results):

interface Port-channel9
description * FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel10
description * FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel19
description * FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface Port-channel20
description * FW2 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
spanning-tree portfast trunk
!
interface FastEthernet1/0/1
description * PAN-FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 9 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/2
description * PAN-FW1 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 9 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/3
description * PAN-FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/4
description * PAN-FW1 - Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 10 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/13
description * PAN-FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 19 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/14
description * PAN-FW2 - Trust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 900
switchport trunk allowed vlan 900
switchport mode trunk
switchport nonegotiate
channel-group 19 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/15
description * PAN-FW2 Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 20 mode on
spanning-tree portfast trunk
!
interface FastEthernet1/0/16
description * PAN-FW2 Untrust *
switchport trunk encapsulation dot1q
switchport trunk native vlan 901
switchport trunk allowed vlan 901
switchport mode trunk
switchport nonegotiate
channel-group 20 mode on
spanning-tree portfast trunk
!

5 REPLIES 5

Not applicable

Am I correct in understanding that the AE config works when you don't have HA enabled?

If so, can you share your HA config?

Yes you are right, attached you'll find my ha config!

I'm not using preemption and link monitoring right now. The only thing i added just to be sure is a backup dataplane link. All the links are directly connected between the firewalls with cross cables.

I also tried to change the Passive Link State to Auto, as suggested by the documentation, but the problems persist...

thanks!

marco

I don't see anything obviously wrong (though since is an L3 deployment, you should change interface state back to 'auto').

What is happening with spanning tree during the packet loss?

Is anything logged to the switch, or to the system log on the firewall?

Can you check interface stats on the switch and the firewall to see if there are any interface errors?

Problem solved.

Just updated PAN-OS version from 4.1.1 to 4.1.3 and now it's working!

btw didn't find anything in the release notes...

Excellent!  Glad it is working.

  • 6665 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!