Palo alto ae1 The converted configuration gets - 245503. 168. - Go to Network > Interfaces, select Interface and go to Config > Security Zone. 111. Resolution 1. Created On 09/25/18 19:20 PM - Last Modified 01/17/24 17:30 PM. The AE1 bundle connects from each PAN device to an EX4200 virtual switch stack running a single AE bundle, "AE11". It is fully supported by Palo Alto to create Portchannel/Aggregate Ethernet LACP and use L3 or L3 subinterfaces, with their corresponding VLAN TAG without SDWAN. M (ae1) 3. 20 subinterface is tagged vlan 20 "DMZ", ae1. 1. The configuration for the Palo Alto firewall is done through the GUI as always. My question is, since ae interface is trunk, where do I On the firewall, go to the virtual system configuration. Cheks Overview. All routes defined in respective VRs. That's the interface where all guest hosts are connected and I want to set a bandwith limit of 50Mbps to this subinterface for the complete internet download traffic. 193730. 11), both located inside my LAN (trusted zone) through 2 different public IP addresses (200. traffic is able to pass from vys1-2 and back. set network interface aggregate-ethernet ae1 layer2 lacp enable yesset network interface ethernet ethernet1/3 aggregate-group ae1set network interface ethernet ethernet1/4 aggregate-group ae1set Hi, I'm thinking about put som vlans inside and Aggregate, and distribitute over various Vsys, as far I know, reading here in the community, it's possible use subAEinterfaces on different VSYS. 0 support SD-WAN on aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of I've usually used Juniper firewalls and juniper switches but recently moved over to Palo Alto's for the firewall, while keeping Juniper switches for the access and distro layer. 30 . Palo Alto Firewall. 6h24. Environment. ; Select either IPv4 or IPv6, indicating the type of DHCP server address you will specify. 3 will be distribu Palo Alto Firewalls; Supported PAN-OS; High Availability Active/Passive; LACP pre-negotiation enabled. 6c0-. Filter Expand All | Collapse All. Download PDF. This is the configuration: admin@PA-500# show network interface ethernet ethernet1/1 ethernet So on both end devices (switch and Palo Alto), you will have port channel/aggregation of the interfaces. High Sticker View solution in original post. 1 and SD-WAN Plugin 2. 1 is the static RP(10. I am a litte leary of implementing this command due to the fact that I cannot find where this is documented. ; In ‘Network > Zones’ there is a list of the different configuration zones. 2. 116 ae1. Main interface is going to be "LAN", ae1. Adding an Aggregate Group and enabling LACP. Metgatz. Have seen some strange bugs related to ospf in previous releases. 6 1. Networks-VLANs: VLAN_100_101: AE1. Then create a subinterface off that PA’s ae1. ) The trans Identify the Port that is being dropped out and added back to the aggregation using GUI: Monitor > Logs > System. I have one device though (Juniper SRX) that has VPN tunnel terminations on it that have to be declared as the end-points, so I can't use different LAG entries to each of the Primary and Secondary PA. Entering configuration mode [edit] # set network interface ethernet ethernet1/1 link-state down A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2). delete network interface aggregate-ethernet ae1 layer3 units ae1. config: { Create a new Aggregate Ethernet ae1 (port channel) L3 interface on the PA. Issue : Palo Alto unable to route traffic into LACP trunked sub-interface vlans in VRFs. 998 . critical lacp ethern link-do 0 LACP interface ethernet1/5 moved out of AE-group ae1. 10 and still can connected to Gateway Core Router 172. So I put the Primary and Secondary PA connection points (AE0) into the same LAG (AE0 When an interface that is part of an existing QoS configuration is later configured to be part of a tunnel configuration (IPSec, GlobalProtect, etc. owner: ssastera Dear Sudhir, thes issuse this new created interface is not a part of any Zone to solve this issue assing this interface Interface ae2. 115). 82 . 201 subinterfaces, VLAN Select Network Interfaces Ethernet, highlight the aggregate interface, such as ae1, and click Add Subinterface; at the bottom of the screen. 123, ae1. Select the ethernet interface you would like to remap to ae, click on "remap" and select "ae1" , if there is subinterface on the original ethernet interface , it will auto remap to ae subinterface, ae1. Select the interface you want to shut down. Palo Alto Networks certified from 2011 0 Likes Likes Reply. 1. admin@PA-3050> show system state filter-pretty sw. Palo Alto / Arista LAG HOW-TO This is a quick guide on configuring a LAG (802. 1/24 set network profiles interface-management-profile Trust https yes set network profiles interface-management-profile Trust ssh yes Palo Alto: show lacp aggregate-ethernet ae1. Not sure if I would trust the routing functionally in Palo Alto enough to do that anyway. 12. 'ae1'). Is there supported to create virtual wire aggregate group ae1 with 3 physical interfaces and another ae2 with another 3 physical interfaces, then form virtual wire with ae1 and ae2. A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2). E1/1 mapped to ae1. You must also configure the aggregate group on the peer device. 673-1. IPv4 - assign the static IP for this group. Re-enabling POE will not fix the commit issue since an additional line is already added in the config. 1q VLAN tag . Mon Aug 28 18:26:41 UTC 2023. My Server Using VLAN1010 172. ae1) and adding these as tagged VLANS i. 2 REPLIES 2. Commit Fails when PBF Rule is Configured with Tunnel on Egress Interface. 200 and AE2. Selection state Selected . At least one side must be active. 883-. 1 ip-netmask 192. AE0, AE1) on the outside and inside equipment (Both Juniper). This specsheet is also available in: Palo Alto Firewalls; Supported PAN-OS; Commit ; Cause Overlapping Subnet is not supported unless the interfaces are in different virtual router. set network interface aggregate-ethernet ae3 layer3 units ae3. 140 . 40. 717-1. -----> PA node1 port eth1/14 (ae1) node1 port xe-1/0/0 (ae0) -----> PA node2 port eth1/14 (ae1) I'm using an active/passive on the PA so the aggregate is only setup set network interface aggregate-ethernet ae1 layer2 units ae1. Additional Information. 100 tag 100 set address 192. 3849 <value> name value So I create an ae1 interface out of ethernet/19 and 20. Selecting an inherited zone overrides the previous settings and removes any inherited objects. Mark as New; Subscribe to RSS Feed AE1. 3849 ae3. 114 and 200. 900 as a L3 interface with an IP address in that new routed transit vlan. Upcoming. 16. unless you are actually utilizing QoS policies all traffic is just going to map to class4 which is the default on the Palo Alto. LACP interface ethernet1/24 moved out of AE-group ae1 in General Topics 01-08-2023; GP with split tunnel and one single Domain added with a specific Port not working in GlobalProtect Discussions 03-09-2022; Kerberos SSO for Captive Portal in General Topics 01-12-2022; Palo Alto Networks PAFW1 ae1 port ethernet1/5 > QFX-VC ae0 port xe-1/0/42. 2 will be The downstream Cisco switch's will be trunking vlans to the Palo Alto. eth 1/5 and 1/6 are part of the ae1 aggregate group - 273712 This website uses Cookies. 674 1. It consists of the following steps: 1. moreover, my concern is at the last time the failover happen the passive device was not accessible as well as the traffic has stopped. Please differentiate between interface management profile - these are assigned to ETH1/x (and this is what you screenshot)- and the out-of-band MGMT interface configuration under device->setup-Interfaces. 2. References to ae subinterfaces (eg. Overlapping subnets are supported only when each overlapping interface/sub-interface is in a separate virtual router. 2 will be part of SYSTEM ALERT : critical : LACP interface ethernet1/21 moved out of AE-group ae1. But if you manage to get it working, it would be nice to know how 🙂 - Tor Symptom One of the firewalls in a High Availability pair (HA) moves into the "suspended" state due to Non-functional loop. Cisco Link Aggregation Traffic Through a Palo Alto Networks Device. Solved: AE1. Do i need to create any manual L2 VLAN inside ISE to support the Hi Expedition team Recently I had a project, which required changing a number of physical firewall interfaces to a single aggregated tagged sub-interfaces ( e. 1 -> 10. 19. 100 . 6V1. x interfaces. Palo Alto Networks; Support; Live Community; Knowledge Base; PAN-OS OpenConfig Administrator’s Guide: Manage LACP. In the Custom DHCP Options section, Add a descriptive Name to identify the DHCP option. 14 We have that PA in our organization - 394104. Q: Is there an easy way to migrate over replacing the Interfaces for all the NAT rules, IKE Customer requirement is SPAN traffic from Palo Alto on temporary basis to perform POC on NAC. changed to ae1. 1 and above. ae3. 20. All the 10. L1 Bithead In response to Raido_Rattameister. my idea is to create an aggregate interface (ae1) and create sub-interfaces for the individual zone. (If both sides are passive, it won’t work. 1 Like Like Reply. 950 PIM Register tunnel 233. 350 ae6. This is the same the way we provide uplinks between two switches through port/ether channel. ; If you checked IPv4, in the DHCP Server IP Address field, Add the address of the DHCP server to and from which you will Aggregate "ae1" and "ae2" configuration. 1 with VLAN10. 7 27. Build ae1. For Interface Name, enter a number after the period, Select the Vendor as Palo Alto Networks DDNS. 0 support SD-WAN on aggregated Ethernet (AE) interfaces so that an SD-WAN firewall in a data center, for example, can have an aggregate interface group (bundle) of It is configured with an agregated interface with LACP enabled (mode active, transmission rate Fast). PAFW2 ae1 port ethernet1/4 > QFX-VC ae1 port xe-0/0/43 PAFW2 ae1 port ethernet1/5 > QFX-VC ae1 port xe-1/0/43. g. Selection state Unselected(Link down)' ) ( description contains 'LACP interface ethernet1/3 moved out of AE-group ae1. 3. Options > debug dataplane packet-diag set filter match ingress-interface ae1. If the routing (and/or GUI. (Not modelled in lab) I am looking to see the commands to check bgp configuration on palo alto 5050 Software version 8. Add this interface into the same zone that currently faces the core. 0/0 Symptom. log 2019-09-27 Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. sel state Unselected(Negotiation failed) Issue Commit on the Palo Alto Networks device fails when PBF (Policy Based Forwarding) rule is configured with a tunnel as egress interface. Palo: ae1 = ethernet1/17 & ethernet1/18; Cisco: po1 = Gi1/0/1 & Gi1/0/2; Never forget that all physical interfaces MUST share the same parameters, such as speed & duplex, VLANs, etc. interface GigabitEthernet 1/21 # set network interface aggregate-ethernet ae1 layer2 units ae1. 6-1. 83 0-1. interface type - Layer 3 4. I decided to use Expedition “interface re-mapping” option. This implementation will use two zones; a public (defaults to Defaults for LACP configurations are: Interval: Slow, Mode: Passive, and system priority: 32768 What is an easy way to find and replace Palo Alto interfaces? Let's say for example I am combining a bunch of interfaces such as ethernet1/9 and ethernet 1/10 into an aggregation group (i. The above topology illustrated shows VLANs 10, 11,12 and 2 managed by a Cisco Catalyst 4507R+E Switch and are all part of OSPF Area 0 and visible as routes in the Palo Alto Firewall. For the example above, the passive firewall needs to have the Jumbo Frame enabled. am seeing that the aggregate group (ae1) got the actor's virtual mac but it is flapping because peer is configured on fast rate and firewall is requesting for the next packet again in few seconds. 0 and SD-WAN Plugin 2. CLI > configure. The LACP aggregate interface on the Cisco switch / Firewall did not come up during this time, which resulted in a longer than Issue : Palo Alto unable to route traffic into LACP trunked sub-interface vlans in VRFs. Focus. 505 Configure both active and passive Palo Alto Networks firewalls to have Jumbo Frame setting enabled. e. Refer to the documentation of that The configuration for the Palo Alto firewall is done through the GUIas always. 21 subinterface is tagged vlan 21 "DMZ2" for now at least. 123. 83 0 1. 1 has 10. 0. Create a new Aggregated-Ethernet Interface , ex: ae1 . 104. 1/24) and ae1. vlan red and vlan blue. Configure both active and passive Palo Alto Networks firewalls to have Jumbo Frame setting enabled. 1ad LACP) between a PAN-5060 firewall and an Arista switch. 0, LACP Pre-negotiation is supported on all platforms except VM Series. 40 . dev. 2, 1. Aggregate Interface Down on Passive Device - Knowledge Base - Palo Alto Networks . 25. This subreddit is for those that administer, support or want to learn more about Palo Alto Networks firewalls. 3 in HA We recently had a failover event during a normal upgrade of the firewall (10. LACP (Link Aggregation Control Protocol) configured. ), the Palo Alto Networks device expects QoS to be applied to the tunnel traffic. What I can't do is apply QoS profile to these subinterfaces. Virtual Router Configure a Layer 2 or Layer 3 subinterface. 30, . Mark as New; [ ae1 ae1. Source : Security Zone – When aggregation interface ae1. (1/5, 1/7, 1/9) The AE1 bundle mounts a number of L3 subnets that act as default gateways for downstream servers. 2 x PA-3220 v8. 130 10 A S ae1 Palo Alto Networks; Support; Live Community; Knowledge Base; PAN-OS OpenConfig Administrator’s Guide: Manage LACP. By clicking Accept, you agree to the storing of cookies on your device to enhance On Lab70-50-PA-5060 ae1 was created and was assigned to ethernet 1/7 while ae2 was created and assigned to ethernet 1/8, which was misconfigured. AE1. When aggregation interface ae1. 504-1. 3). 95. Apply the default/custom QoS profile to the tunnel traffic and the commit should succeed. On the passive firewall output for the AE1 :- I noticed that the prenegotiation is enabled but I didn't get the partner ( description contains 'LACP interface ethernet1/1 moved out of AE-group ae1. Selection state Selected 2015/03/08 19:55:45 critical lacp ethern lacp-up 0 LACP interface ethernet1/2 moved into AE-group ae1. interface. system log shows ( severity neq informational ) and ( eventid eq nego-fail ) and ( description contains 'LACP interface ethernet1/21 moved out of AE-group ae1. 505 1. It consists of the following steps: Adding an Aggregate Group and (Optional) Configure a vendor-specific or custom DHCP option that the DHCP server sends to its clients. Palo Alto and Microsoft NLB multicast in Next-Generation Firewall Discussions 01-10-2024; Aggregate interace behaviour in Next-Generation Firewall Discussions 01 Physical firewalls running PAN-OS 11. Go to solution. A device reboot is required for the changes to take effect Hello everyone. owner: sdarapuneni 233. 100 and AE2. 9. I need to publish 2 webservers (192. Thomasevig. 4c0 . AE10. Shadow. 1/24 assigned to it. 100 ]commit. From CLI you can do this way . Hello, We are getting below messages on and off for our HA pair. It doesn't matter what name or VLAN ID I give the interface, it does not allow to deploy the template to the devices. Palo Alto recommends using a single ae interface for all links and enabling LACP to reduce time to recovery and enable communication on active/standby ports on the ae. sw. 20, . 2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone, all networks learnt by the OSPF routing protocol on interface ae1. I incorrectly made this a layer2 interface and I need IP's on each of these and make it a layer 3 to do a little routing too. ); If the Option Code is 43, the Vendor Class Identifier field appears. Debug log output PA(passive) AE1 ===== cisco-2 switch (Etherchanel 20) Is the connection and configuration is correct or i should create 2 channels from Paloalto side like this example? 0 Likes Likes Palo Alto Networks certified from 2011 View solution in original post. Selection state Unselected(Link down)' ) ( description contains 'LACP interface ethernet1/2 moved out of AE-group ae1. 10 and 192. table of the interface is properly populated. 117 ae1. How to Enable/Use/Disable/Check Jumbo Frame Support on a Palo Alto Networks Firewall. Controlling failover for an aggregate interface can be achieved through a monitoring profile on the HA (High Availability) configuration. Wed Nov 20 20:28:26 UTC 2024. port-channel1 and port-channel2 and on the Hi, I am preparing to migrate configuration from cisco FWSM to Palo Alto 5250 which is managed by Panorama. Then, the question is, on wich VSYS must be the physical interface AE1? AE1. 884. you would have interfaces e. 1q VLAN tag Web UI: CLI # set network interface aggregate-ethernet ae1 layer2 units ae1. The mode decides whether to form a logical link in an active or passive way. Go to Network > Interface. Additional Physical firewalls running PAN-OS 10. critical lacp ethern link-do 0 LACP interface ethernet1/1 moved out of AE-group ae1. L2 Linker Options. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. 257c. Selection state Unselected(Link down) info port ethern link-ch 0 This article provides information about a Commit Failure with "Error: NetFlow profile NetFlow-Server-Profile used on interface ethernet1/3 without a valid servi Palo Alto Networks ® PA-5200 Series of next-generation firewall appliances is comprised of the PA-5280, PA-5260, PA-5250 and PA-5220. To 3 ports per device form part of an aggregated Ethernet bundle, "AE1", making up the "Trust" zone. . Updated on . 456 . LACP: ***** AE group: ae1 Members: Bndl Rx state Mux state Sel state ethernet1/1 yes Current Tx_Rx Selected ethernet1/2 yes Current Tx_Rx Selected Status: Enabled Mode: Active Rate: Fast Max-port: 8 Fast-failover: Disabled Pre-negotiation: Disabled Local: System Priority: 32768 System MAC: d4:f4:be Turn off LACP on Palo Alto, using "mode on" on Cisco, and Passive Link State set to Auto instead of Shutdown on Palo Alto, fail over time is about 10 seconds. 10. 58, sender mac 00:50:56:9b:71:fe Anatomy of the Palo Alto Networks Firewall¶. Add 2-4 ports on the PA 220 as AE (vs L2/L3/tap/HA) interfaces, joined This subreddit is for those that administer, support or want to learn more about Palo Alto Networks firewalls. 10. Remo. 2 will be Hi . pinging some devices across these networks . This article provides information about Aggregate Ethernet (AE) interface showing down on Passive Firewall even when the This procedure describes configuration steps only for the Palo Alto Networks firewall. x . With PBF monitoring, the keepalives are sent using egress interface as source. 'ae1. Getting Palo Alto Firewalls; Supported PAN-OS; Policy-Based Forwarding (PBF) Monitoring enabled with Public IP; Cause. The PA ae inte Between Distribution Switch and Server Switch I Installed Palo Alto to translate VLAN10 to VLAN1010. PAN-OS 7. 938c-. Options. We do have template override on the devices for that interface, however I cannot create it manually on the devices because then I I am designing a new network for a client and they have lots of zones. x and AE2. Then commit the configuration. Specify the following information for each interface that you assign to the group. 4). 393 +0100 log ethernet1/10 idx 25 leaves lag. 0/8 routes are served by this sub - 421712. Filter [name=ae1]/lacp-mode:::string:::ACTIVE -u admin -p password -e JSON_IETF --timeout 30s. Resolution. 1, AE2. In ‘Network > Interfaces’ there is a list of physical interfaces as well as aggregated physical interfaces which are used for managing traffic in and out of the Palo Alto Networks Firewall device. These interfaces are attacheced to a procurve 5406 where the We are getting "LACP interface ethernet1/24 moved out of AE-group ae1" through syslog (emailed) multiple times in a day on PA 3410 running on PAN OS 10. Configure the appropriate aggregate for Lab70 Palo Alto Networks Approved Community Expert Verified Aggregate interface per cli Go to solution. i. Is there any additional configuration required to make the ae1 interface to allow traffic in all VLANs and act as trunk? 4. Selection state Unselected(Link down) critical lacp ethern link-do 0 LACP interface ethernet1/6 moved out of AE-group ae1. Commit the changes. Selection state Selected' ) and ( receive_time leq '2019/03/01 11:50:57' ) 2023-01-01 05:10:30. If you enabled Link Aggregation Control Protocol (LACP) for the AE interface group, select the Starting PAN-OS 9. SPAN the traffic as mentioned below, so that a cable will be connected from Palo Alto to the server to get mirrored traffic from router zone. 504-. The following is. I want to know where to specify the VLAN tag and whether or not I have to put the parent ae interface in to a zone and vwire. (See RFC 2132 for option codes. 950 PIM Register tunnel When moving to Palo Alto in PIM Sparse mode it was necessary for the receiver to actively participate in the multicast group, without that, the entire multicast tree would not be established, once the application To show only static routes: kcordero@tpa-pa-inet_passive(active)> show routing route type static flags: A:active, ?:loose, C:connect, H:host, S:static, ~:internal, R:rip, O:ospf, B:bgp, Oi:ospf intra-area, Oo:ospf inter-area, O1:ospf ext-type-1, O2:ospf ext-type-2 VIRTUAL ROUTER: VR_Inet-Cluster (id 2) ===== destination nexthop metric flags age interface next-AS 0. 50') can remain and don't need to be removed. Created On 09/25/18 17:36 PM - Last Modified 06/12/23 16:50 PM In my lab, I tested it with ae1 having two interfaces 1/7 and 1/8. 0 Likes Likes Reply. Steve Puluka BSEET - IP Architect - DQE Communications (Metro Ethernet/ISP) Palo Alto Networks; Support; Live Community; Knowledge Base > Configure QoS. path fill-rule="evenodd" clip-rule="evenodd" d="M27. We are not officially supported by Palo Alto Networks or any of its employees. Click OK. config- virtual router > default security zone > Internal Zone 5. 3020 to any zone as per you network design. Apply an SD-WAN Interface Profile to the subinterface. L7 Applicator In response to MP18. Using Packet captures, verify if the LACP PDUs are critical lacp ethern lacp-up 0 LACP interface ethernet1/7 moved into AE-group ae1. 40828. 23. A device reboot is required for the changes to take effect In our setup we have say aggregate interface ae1 and we have applied management profile to ae1. <value> name value; Assign 802. e1/21 is connected to swtich 1 and e1/22 is connected to switch two via port Hi there, I'd like to set up a PA-5060 with an aggregate Layer 3 ethernet interface with no address: Aggregate Interface Name: ae1 Type: Layer 3 Address: (none) Virtual Router: (none) Tag: (none) Security Zone: (none) and then add subinterfaces to it, each of which have their own IP address range Specify the IP address of each DHCP server with which the DHCP relay agent will communicate. The device which has a higher priority and a lower value, moves into this state of suspended (Non-functional loop detected) A Layer 3 aggregated link has been created between the Palo Alto Firewall (Interface ae1 on each firewall) and the Cisco 4507R+E Switch (Port-Channel 1 & 2). The other option is you can manually create Interfaces in firewall or Panorama This document describes how to enable, use (on an interface), disable, and check jumbo frame support on the Palo Alto Networks firewall. 197. Selection state Unselected(Link My subinterface is ae1. Go to Devive > Setup > Session; In the Session Settings section, check the Enable Jumbo Frame option. 6H1. 1 10. Next-Generation Firewall Docs. Eg, Received conflicting ARP on interface ethernet1/1 indicating duplicate IP 172. 1 tag <value> <1-4094> 802. Enter the Option Code you want to configure the server to offer (range is 1-254). 101 subinterfaces, VLAN_200_201: AE1. This website uses Cookies. Receiving conflicting ARP log messages on an interface on the firewall. I have already created aggregate and its subinterfaces and are disabled, added fake IP/s routes and created NAT rules using new interfaces, to make it easier on the change day. critical lacp ethern lacp-up 0 LACP interface ethernet1/8 moved into AE-group ae1. 999. mp l2ctrld. L4 Transporter 2015/03/08 19:55:44 critical lacp ethern nego-fa 0 LACP interface ethernet1/2 moved out of AE-group ae1. 0/22 172. Tue Oct 03 16:27:23 UTC 2023. I'm working on an HA project, but can't get the interfaces to negotiate. In the Interface field, select the interface you want to be the DHCP relay agent. vwire 2 - E1/3 mapped to ae1. Each switch VRF is a Zone on the PA. 1, 1. the ae1 link seems to be down despite the arp . 2 on the Palo Alto Firewall is configured to be part of the DMZ Security Zone , all networks learnt by the OSPF routing protocol on interface ae1. ae1. 100 vlan. 10, . Palo Alto DHCP Relay Stops Working After Never tried exactly the same scenario as you are describing though. Yeah, are both ports on the switch connected to the AE1 on the firewall. ethernet1/1,1/2, 1/3, etc. For all vsys, remove any reference to the root ae interface (eg. PAN ports e1/21-e1/22 are aggregated into ae1 interface on PASSIVE mode. They are L3 perfectly valid although fake IPs. If so port Group 22 should not be used, both swithc ports in same group. 1 2 x Dell N4032F switches latest recommended firmware The firewalls are setup for active/passive HA and the switches are configured for MLAG and have a LAG setup to connect to the firewalls. a client behind INT Firewall is able to ping/tracert all AE1. config (Notice how 1/7 and 1/8 are still at 1500. bntn viuorh fypna egtihxm xhgi ztc eeonc mtuydx ckcxd kzmz