Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
Why should LACP Pre-negotiation be disabled on HA Active/Passiv... - Knowledge Base - Palo Alto Networks

Why should LACP Pre-negotiation be disabled on HA Active/Passive L3 firewalls neighboring a single switch?

19749
Created On 08/01/20 23:42 PM - Last Modified 04/22/24 21:50 PM


Question


Why should LACP Pre-negotiation be disabled on HA Active/Passive L3 firewalls neighboring a single switch?

Environment


  • PANOS versions: 8.1.x, 9.0.x, 9.1.x, 10.0.x
  • Active/Passive HA firewall with L3 interfaces enabled neighboring a single L3 switch
  • Topology
User-added image
  • LACP Pre-negotiation is enabled on Active HA firewall and Passive-HA firewall
User-added image

Answer


  1. With LACP pre-negotiation enabled, ports on both Active and Passive firewalls will send/process LACP PDUs and neighboring device observe both physical ports of ae interface are UP.
  2. This causes neighboring device to send traffic to either one of those physical links as both are part of ae interface.
  3. Any traffic going towards Passive firewall will be blackholed and result in network outage/ high latency.
Other users also viewed:
How to download GlobalProtect from the Customer Support Portal
Download and Install the GlobalProtect App for Windows
Resource List: GlobalProtect Configuring and Troubleshooting
PAN-OS Software Updates
Where to find the current preferred software versions? (PAN-OS, GlobalProtect, User-ID Agent, Plugins)
Results 1-5 of 239,070
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u0000008V36CAE&lang=en_US%E2%80%A9&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language