This website uses cookies essential to its operation, for analytics, and for personalized content. By continuing to browse this site, you acknowledge the use of cookies.
For details on cookie usage on our site, read our Privacy Policy
For details on cookie usage on our site, read our Privacy Policy
About davis@udel.edu
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- About davis@udel.edu
08-15-2017
3Posts
4Likes
1Solution
Aug 15, 2017Last Visited
User
Activity
User
Profile
Latest posts by davis@udel.edu
| Subject | Views | Posted |
|---|---|---|
| 6517 | 04-09-2015 07:22 AM | |
| 6511 | 03-24-2015 06:10 AM | |
| 6829 | 03-19-2015 07:30 AM |
My Liked Posts
| Subject | Likes | Posted |
|---|---|---|
| 4 Likes | 04-09-2015 07:22 AM |
User Badges
Community Statistics
| Member Since | 10-07-2014 12:47 PM |
| Date Last Visited | 08-15-2017 07:03 AM |
| Posts | 3 |
| Total Likes Received | 4 |
04-09-2015
07:22 AM
4 Kudos
I eventually found this document on LACP: https://www.paloaltonetworks.com/documentation/61/pan-os/pan-os/networking/lacp-settings.html the very last paragraph listed this statement which worked in my scenario and allowed the single SRX tunnel to be LACP'd across both primary and secondary PA HA devices. " When the LACP peers (also in HA mode) are virtualized (appearing to the network as a single device), selecting the Same System MAC Address for Active-Passive HA option for the firewalls is a best practice to minimize latency during failover "
... View more
03-24-2015
06:10 AM
I don't need the secondary device interfaces to be up, I'm only looking for the correct configuration to make the secondary device work during a fail over with the outside device over LACP. I've read those design guides, but they seem to skip many Layer-2 scenarios and were written pre-LACP support. Basically when I have the PA primary/secondary connected to separate AE's on an outside device, HA works fine. In this one situation I have the PA primary/secondary connected to separate interfaces on the same AE of the outside device, and the HA failed. I need to find out if it's a valid setup and configuration, or if LACP won't work and I have to change it to a non-LACP LAG.
... View more
03-19-2015
07:30 AM
My tested design has been to LACP between the same LAG (i.e. AE0) on the PA primary and secondary units, to different LAG entries (ie. AE0, AE1) on the outside and inside equipment (Both Juniper). I have one device though (Juniper SRX) that has VPN tunnel terminations on it that have to be declared as the end-points, so I can't use different LAG entries to each of the Primary and Secondary PA. So I put the Primary and Secondary PA connection points (AE0) into the same LAG (AE0) on the Juniper SRX under LACP and it runs with just the single connection ok. BUT, I tested the HA failover and the secondary PA failed to establish the LACP connection with the Juniper SRX and faulted the link. How can I attach a HA pair of PA's to a single device if LACP isn't going to work? Is this a bug or do I need to not run LACP? 2015-03-19T06:49:50-04:00 10.10.24.201 fw user.crit 1,2015/03/19 06:49:50,007801001168,SYSTEM,lacp,0,2015/03/19 06:49:50,,unresponsive,ethernet1/3,0,0,general,critical,LACP interface ethernet1/3 moved out of AE-group ae4(peer is not responding to new LACP connection),90118,0x8000000000000000
... View more
Labels:
- Labels:
-
Configuration
-
Networking
-
Troubleshooting
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks