06-25-2026 09:42 AM - edited 07-01-2026 02:50 PM
We have a stack of 3 cisco switches in stack connected to Palo Alto in HA in LACP etherchannel
Firewall 1 has links to Gi1/0/23 and Gi3/0/11
Firewall 2 has links to Gi2/0/23 and Gi3/0/13
We have lacp rate as slow and configured lacp fast-switchover on interface portchannels
We did a failover testing and when switch 3 was powered off firewall is bringing all portchannel-links down on the active firewall and failing over to passive
this is causing a lot of ping drops
When switch 2 and switch 1 are powered off when active, we see only one ping drop
We shut the ports Gi3/0/11 and Gi3/0/13 one by one and did the failover testing still the same results
We configured lacp rate fast and spanning tree portfast trunk on the port channel still the same issue
Please help us fix this
06-25-2026 10:15 AM
Do the Palo Alto logs show anything different between when SW3 is removed vs SW1 or SW2? Based on your topology, removing SW3 kills a link on both PAs at once. I suspect something is renegotiating in that instance that doesn't happen when you just pull SW1 or SW2.
06-25-2026 11:24 AM
Is SW3 the active master?
Is your stack also configured not to change the stack's MAC if there is a stack master failure?
BTW, it's often helpful if you identify the specific switch models and the IOS version being used.
06-28-2026 01:02 PM
Hello @grapevine ,
first of all check who is the master in the stack with
show switch
as suggested you should implement MAC address persistency so that also in case of change of master there are no impacts also in STP.
Hope to help
Giuseppe
06-28-2026 02:24 PM
@grapevine as you haven't answered my questions, cannot with high assurance answer your questions. However, what I suspect (likely so does @Giuseppe Larosa ) there can be a noticeable difference in operational impact between a non stack member failing vs. the stack master failing. The latter, i.e. a stack master failure, can be more impactful, as it's the operational brains of the stack.
One issue, on many stacks, if the stack master fails, by default, the stack uses a new MAC for stack operation. However, there's often a configuration option to retain the original stack MAC even when the stack master fails. This often mitigate the impact of a stack master failure.
BTW, if the stack is being used for L3 operation, there are are often (?) other configuration options to minimize the impact of a stack master failure for those too.
Again, though, as you didn't answer my questions, cannot say with much certainty the cause of the behavior you note, but I can say, from experience, loss of a stack master can be more operationally impactful, especially if you've not configured the options to mitigate its impact.
07-01-2026 02:49 PM
I also see both links in portchannel on firewall going down and causing firewall failover as well
07-01-2026 02:47 PM
sw3 is master and mac address persistency is infinite
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide