AOS-CX Switch Simulator

 View Only

  • 1.  6300M Lag

    Posted Nov 20, 2025 03:33 AM
    Aruba 6300M LAG issue

    Hi, recently we have set up new 6300M series switches and made them core switches. 

    We have set up 2 nos. checkpoints as ClusterXL, and at each checkpoint, both firewalls have bond interfaces where we can pull each firewall's 2 nos. cables to connect our 6300M switches .

    Our vendor has created Lag100 and configured it on each switch. 

    But on checkpoint one, the firewall device bond showing up and 2nd firewall bond showing down

    some output below.

    -CSW# show lacp interfaces

    State abbreviations :
    A - Active P - Passive F - Aggregable I - Individual
    S - Short-timeout L - Long-timeout N - InSync O - OutofSync
    C - Collecting D - Distributing
    X - State m/c expired E - Default neighbor state

    Actor details of all interfaces:
    ----------------------------------------------------------------------------------
    Intf Aggr Port Port State System-ID System Aggr Forwarding
    Name Id Pri Pri Key State
    ----------------------------------------------------------------------------------
    1/1/23 lag100 24 1 ASFNCD e8:1c:a5:cd:08:40 65534 100 up
    1/1/24 lag100 25 1 ASFO e8:1c:a5:cd:08:40 65534 100 lacp-block
    2/1/23 lag100 88 1 ASFNCD e8:1c:a5:cd:08:40 65534 100 up
    2/1/24 lag100 89 1 ASFO e8:1c:a5:cd:08:40 65534 100 lacp-block
    1/1/21 lag101 22 1 ASFNCD e8:1c:a5:cd:08:40 65534 101 up
    2/1/21 lag101 86 1 ASFO e8:1c:a5:cd:08:40 65534 101 lacp-block
    1/1/22 lag102 23 1 ASFNCD e8:1c:a5:cd:08:40 65534 102 up
    2/1/22 lag102 87 1 ASFO e8:1c:a5:cd:08:40 65534 102 lacp-block


    Partner details of all interfaces:
    ----------------------------------------------------------------------------------
    Intf Aggr Port Port State System-ID System Aggr
    Name Id Pri Pri Key
    ----------------------------------------------------------------------------------
    1/1/23 lag100 2 255 ALFNCD d2:e6:09:c1:c8:0d 65535 9
    1/1/24 lag100 2 255 ALFN 74:8b:80:dc:bb:3d 65535 9
    2/1/23 lag100 1 255 ALFNCD d2:e6:09:c1:c8:0d 65535 9
    2/1/24 lag100 1 255 ALFN 74:8b:80:dc:bb:3d 65535 9
    1/1/21 lag101 48 1 ASFNCD 9c:37:08:da:d8:00 65534 101
    2/1/21 lag101 48 1 ASFO 9c:37:08:da:c9:00 65534 102
    1/1/22 lag102 49 1 ASFNCD 9c:37:08:da:c9:00 65534 102
    2/1/22 lag102 49 1 ASFO 9c:37:08:da:d8:00 65534 101

     

    CSW# sh run int lag 100
    interface lag 100
    description Firwall
    no shutdown
    no routing
    vlan trunk native 15
    vlan trunk allowed all
    lacp mode active
    lacp rate fast
    exit

    CSW# show vsf

    Force Autojoin : Disabled
    Autojoin Eligibility Status: Not Eligible
    MAC Address : e8:1c:a5:cd:08:40
    Egress Shape Rate : None
    Secondary : 2
    Topology : Ring
    Status : No Split
    Split Detection Method : None


    Mbr Mac Address type Status
    ID
    --- ------------------- -------------- ---------------
    1 e8:1c:a5:cd:08:40 R8S89A Conductor
    2 e8:1c:a5:cd:69:80 R8S89A Standby

     

    VSF configured by vendor as automatic, not manual 

     

    Can anyone suggest how to rectify this issue



    -------------------------------------------


  • 2.  RE: 6300M Lag

    Posted Nov 20, 2025 05:35 AM

    Hi, not an expert about Check Point ClusterXL but a requirement of any LAG (LACP or not) is that the "peering device" (your Firewalls' Cluster) acts and present itself to peers (in this case your Aruba VSF made of two Aruba CX 6300M switches) as a single logical entity (and not as two separated logical entities as it would happen when the Cluster works with two devices not virtualizing their features to connected peers). That's basic LAG requirement. So a LAG from a VSF Virtual Stack (or a standalone Switch or a Aruba CX VSX Cluster) can successfully connect to another standalone Firewall or Switch (through LAG), to another VSF (Aruba CX Virtual Stack through LAG) or to a VSX (Aruba CX Cluster through Multi-Chassis LAGs) or to any other form of single logical entity which support LAG BUT NOT to two separate devices which one with its own logical identity (not masked to peers).

    -------------------------------------------



  • 3.  RE: 6300M Lag

    Posted Nov 20, 2025 08:37 AM

    Hello @Vikash.giri

    I reviewed the configuration you shared. You tried to carry two different firewalls within the same lag. Logically, I recommend connecting the ends of each firewall connected to the 6300m side to different lag groups. I will share the recommended configuration below. Please try this and share the result. 

    config terminal

    interface 1/1/23
    !  no lag 100
    ! interface 1/1/24
    !  no lag 100
    ! interface 2/1/23
    !  no lag 100
    ! interface 2/1/24
    !  no lag 100
    !
    ! LAG100 for CP1
    interface lag 100
     description CP1_inside
     no shutdown
     no routing
     vlan trunk native 15
     vlan trunk allowed all
     lacp mode active
     lacp rate fast
    exit

    interface 1/1/23
     no shutdown
     no routing
     lag 100
    exit

    interface 2/1/23
     no shutdown
     no routing
     lag 100
    exit

    ! LAG101 for CP2
    interface lag 101
     description CP2_inside
     no shutdown
     no routing
     vlan trunk native 15
     vlan trunk allowed all
     lacp mode active
     lacp rate fast
    exit

    interface 1/1/24
     no shutdown
     no routing
     lag 101
    exit

    interface 2/1/24
     no shutdown
     no routing
     lag 101
    exit

    -------------------------------------------



  • 4.  RE: 6300M Lag

    Posted Nov 21, 2025 08:11 AM

    Hello @Vikash.giri

    I'm glad the issue was resolved after creating and testing a new lag :) 

    -------------------------------------------



Related Content