Question

LACP issue Between Extreme and PaloAlto

  • 28 March 2019
  • 3 replies
  • 584 views

Userlevel 6
I have an X670-G2 Stack running 21.1.4.4-patch1-6.xos

This connects to a PaloAlto Firewall using a lacp lag group. Things have been running well for 220 days without issue.

This morning the district lost internet and PaloAlto claims it was a switch problem. Looking at the switch I see the below info message:
Slot-1: Remove port 1:17 from aggregator

Full log segment:
03/28/2019 08:54:36.83 Slot-1: Add port 2:18 to aggregator
03/28/2019 08:54:36.83 Slot-1: Add port 1:17 to aggregator
03/28/2019 08:54:34.34 Slot-1: Port 2:18 link UP at speed 1 Gbps and full-duplex
03/28/2019 08:54:33.79 Slot-1: Port 1:17 link UP at speed 1 Gbps and full-duplex
03/28/2019 08:54:30.61 Slot-1: Port 2:18 link down
03/28/2019 08:54:30.08 Slot-1: Port 1:17 link down
03/28/2019 08:52:54.92 Slot-1: Port 2:18 link UP at speed 1 Gbps and full-duplex
03/28/2019 08:52:53.37 Slot-1: Port 1:17 link UP at speed 1 Gbps and full-duplex
03/28/2019 08:51:20.09 Slot-1: Port 1:17 link down
03/28/2019 08:51:19.68 Slot-1: Port 2:18 link down
03/28/2019 08:49:57.46 Slot-1: Remove port 2:18 from aggregator
03/28/2019 08:49:57.40 Slot-1: Remove port 1:17 from aggregator

I of-course want to say it was the firewalls fault, but am not certain how to interpret the message.
Why was the port removed from the aggregator?


Looking at the below output it seems as though the PaloAlto is not responding at the same rate the Extreme does. Could this imbalance have led to the link resetting.

Lag Member Rx Rx Drop Rx Drop Rx Drop Tx Tx
Group Port Ok PDU Err Not Up Same MAC Sent Ok Xmit Err
--------------------------------------------------------------------------------
1:3 1:3 651003 0 0 0 651051 0
1:4 0 0 0 0 0 0
2:3 0 0 0 0 0 0
2:4 651005 0 0 0 651053 0

1:17 1:17 1160 0 0 0 34740 0
1:18 0 0 0 0 0 0
2:17 0 0 0 0 0 0
2:18 1160 0 0 0 34739 0

Thanks for your help,

3 replies

Userlevel 5
Not that I know, but with all the recent PANOS updates, has anything changed?
Are the Palos perhaps similar to Ciscos where you have to put something like "configure sharing lacp system-priority 32768" in the config to make everyone happy?

Sorry, just guessing - my PAs don't run LACP.

Frank
Userlevel 6
Frank,

Thanks for the reply, I was thinking the same thing as you.

We are waiting to here back from PA on how they want to the link configured, and was hoping perhaps someone here had encountered this issue and ironed out the config already.

The weirdest part to me is that it has run fine for 220 days before becoming an issue. I spoke with the customer today and confirmed there have been no code changes on the PA and I know there have not been any changes on the Extreme.

I will post the final config once we get it figured out.
David,

We run 7050s, LACP to cores and OSPF to our ISP. During a DDoS attack the dataplane was saturated and our 7050s weren't able to maintain LACP to our cores.

Active 7050s system log had...
LACP interface ethernet7/21 moved out of AE-group ae1. Selection state Selected

HTH
Nabil

Reply