Highlighted
2 Iron

LAG to Firewalls won't Negotiate

Jump to solution

I'm working on an HA project, but can't get the interfaces to negotiate.

2 x PA-3220 v8.1     2 x Dell N4032F switches latest recommended firmware

The firewalls are setup for active/passive HA and the switches are configured for MLAG and have a LAG setup to connect to the firewalls. The PA ae interface on the active firewall shows one physical interface as active, but the other is 'not active (negotiation failed)' resulting in an amber link state. I've checked all of the settings on both the PA and switches and it looks like it should be working.

What logs and settings should I check again?

0 Kudos
1 Solution

Accepted Solutions
Highlighted
2 Iron

Re: LAG to Firewalls won't Negotiate

Jump to solution

I opened a tech support case and was able to get this working by setting up a second port channel.

View solution in original post

0 Kudos
10 Replies
Highlighted
Moderator
Moderator

Re: LAG to Firewalls won't Negotiate

Jump to solution

Hi,

Are they LACP LAGs or static? Is it two ports for each of the firewalls?


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos
Highlighted
2 Iron

Re: LAG to Firewalls won't Negotiate

Jump to solution

Yes, LACP LAGs and 2 ports for each firewall.

0 Kudos
Highlighted
Moderator
Moderator

Re: LAG to Firewalls won't Negotiate

Jump to solution

Can you try with just one port connected to each?


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos
Highlighted
2 Iron

Re: LAG to Firewalls won't Negotiate

Jump to solution

Sorry, I misunderstood. Each firewall has a connection to each switch, so firewall 1 connects to switch 1 and switch 2 and firewall 2 connects to switch 1 and switch 2.

firewall core switch HA.png

0 Kudos
Highlighted
Moderator
Moderator

Re: LAG to Firewalls won't Negotiate

Jump to solution

The core switches are in an MLAG?


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos
Highlighted
2 Iron

Re: LAG to Firewalls won't Negotiate

Jump to solution

Yes, the core switches are in MLAG with one partner switch in a LAG and uplinks to firewalls in a LAG.

0 Kudos
Highlighted
Moderator
Moderator

Re: LAG to Firewalls won't Negotiate

Jump to solution

Does spanning-tree show anything blocking?


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos
Highlighted
2 Iron

Re: LAG to Firewalls won't Negotiate

Jump to solution

I don't see any, but I do see this message on both core switches. This reads to me that the partner priority is 32768 which looks the same for Po14.

dot3ad_lacp.c(2284) 279767 %% WARN Interface Te1/0/12 partner priority 32768 is not same as existing members of LAG interface Po14 (32768). Not adding interface Te1/0/12 as active member of LAG interface Po14.

 

 

0 Kudos
Highlighted
Moderator
Moderator

Re: LAG to Firewalls won't Negotiate

Jump to solution

Try changing it on both and see if that helps. 


Thanks,
DELL-Josh Cr
Dell EMC Enterprise Support Services
Get support on Twitter @DellCaresPRO
#IWork4Dell
0 Kudos