How to setup AUX Port as high-availability ports
17119
Created On 12/31/18 03:38 AM - Last Modified 05/11/20 21:38 PM
Objective
In PA-5200 platforms, Aux ports can be used as HA1 ports, if there is a need for SFP+ support. This article describes the steps to configure AUX Ports for HA Ports.
Environment
- PAN-OS 8.0, 8.1
- Palo Alto 5200 series Firewall.
Procedure
Verify the Port Connectivity:
- Enable the AUX-1/AUX-2 Port on both devices, do not give an IP address at this moment : Device > Setup > Interfaces.
- Connect PAN Supported SFP+ modules on both devices and connect them via Fibre Cable.
- Make sure links are showing up. Collect the output of "debug system interface-xcvr-info aux-1" or "debug system interface-xcvr-info aux-2" from both nodes to verify the transceiver info.
> debug system interface-xcvr-info aux-1
Identifier : 0x03 (SFP)
Extended identifier : 0x04 (GBIC/SFP defined by 2-wire interface ID)
Connector : 0x07 (LC)
Transceiver codes : 0x10 0x00 0x000x00 0x00 0x00 0x00 0x00
: => 10G Ethernet: 10G Base-SR
Encoding : 0x06 (64B/66B)
BR, Nominal : 10300MBd
Rate identifier : 0x00 (unspecified)
Length (SMF,km) : 0km
Length (SMF) : 0m
Length (50um) : 80m
Length (62.5um) : 20m
Length (Copper) : 0m
Length (OM3) : 300m
Laser wavelength : 850nm
Vendor name : OEM
Vendor OUI : 00:00:00
Vendor PN : PAN-SFP-PLUS-SR
Vendor rev : B4
Note: It is important to use only PAN Supported SFPs on the AUX Port as there may be driver compatibility issues otherwise. If the SFP is not recognized at once, we suggest to reboot the device to verify if the SFP+ module is initialized properly as in Step 3 above.
Enable AUX Ports for HA:
- Configure the IPs on AUX-1/ AUX-2 Port that were supposed to be used for HA1 or HA1-backup under Device -> Setup -> Interfaces.
- Enable Ping as service as it is required for the HA1 Keepalives to work which uses ICMP.
- Under High Availability Tab, change the HA1 or HA1-Backup Port from dedicated-ha ports to aux ports. You do not configure IPs for HA1 interfaces here now, as the settings are taken as configured under Device > Setup > Interfaces.
- Once this is done on both devices, commit the config on both devices.
- Now verify the state of HA1 link by commands:
> show high-availability control-link statistics
Group 1:
Mode: Active-Passive
Control Link Statistics:
HA1:
Messages-TX : 42
Messages-RX : 42
Capability-Msg-TX : 0
Capability-Msg-RX : 0
Error-Msg-TX : 0
Error-Msg-RX : 0
Preempt-Msg-TX : 0
Preempt-Msg-RX : 0
Preempt-Ack-Msg-TX : 0
Preempt-Ack-Msg-RX : 0
Primary-Msg-TX : 0
Primary-Msg-RX : 0
Primary-Ack-Msg-TX : 0
Primary-Ack-Msg-RX : 0
Hello-Msg-TX : 42
Hello-Msg-RX : 42
Hello-Timeouts : 0
Hello-Failures : 0
MasterKey-Msg-TX : 0
MasterKey-Msg-RX : 0
MasterKey-Ack-Msg-TX : 0
MasterKey-Ack-Msg-RX : 0
Connection-Failures : 0
Connection-Tries-Failures : 0
Connection-Listener-Tries : 0
Connection-Active-Tries : 0
Ping-TX : 334
Ping-Fail-TX : 0
Ping-RX : 334
Ping-Timeouts : 0
Ping-Failures : 0
Ping-Error-Msgs : 0
Ping-Other-Msgs : 0
Ping-Last-Rsp : 0
Additional Information
Note: Any debug commands must be run with caution. Refer Debug command article prior running any debug commands.