Since you aren't working with a VSX (you have just a standalone Switch connected to both Firewalls and that Switch is the Aruba CX 8360) you should forget about MC LAGs (Multi-Chassis LAGs) because you don't have a Multi-Chassis (Multi-Chassis here equals to Aruba VSX).
This is a design example (well, it's quite real) where a VSX (made of two Aruba CX 8360 "clustered") are connected to a Forcepoint Cluster (a couple of Forcepoint 2105 clustered in Active/Active mode):
You have just one Aruba CX 8360 (thus standalone) so you should eventually end up with a simpler setup similar to this one if you want to have a LAG to each Forcepoint Firewall Cluster member:
As you can see, from the point of view of the Forcepoint Firewall Cluster, nothing changed BUT the VSX versus Standalone switch changes the way you build LAGs on the Aruba side (and it is quite clear why), in one case you use MC-LAGs on the other case you use standard LAGs.
The third scenario is the simplest: no LAGs and simple single uplinks (one for Firewall node 1 and one for Firewall node 2) from the standalone Aruba CX 8360 to the Firewall Cluster...but its validity depends to your desired "resiliency level" considering that each single entity represents a SPoF (Single Point of Failure):
Focus yourself about what you want to really achieve looking at the connectivity between your standalone Aruba CX 8360 and the Firewall Cluster.
Original Message:
Sent: Nov 16, 2023 01:13 AM
From: asi4
Subject: ArubaOS CX-8320 LACP lag interface forwarding state " LACP-Blocked"
according to what you said, i will be able to configure LAG interfaces to only one device, i tested with another aruba switch, the LAG interfaces are up and working, now i did shutdown one interface to Firewall-2 on aruba switch. there is a single firewall connected to lag interface still i am getting lacp blocked.
below lag10 is for my another aruba switch, and lag101 is to one of my firewall
DMZ-ARUBA# sh lacp interfaces
State abbreviations :
A - Active P - Passive F - Aggregable I - Individual
S - Short-timeout L - Long-timeout N - InSync O - OutofSync
C - Collecting D - Distributing
X - State m/c expired E - Default neighbor state
Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/1 lag10 2 1 ALFNCD ec:02:73:4e:d4:bc 65534 10 up
1/1/2 lag10 down
1/1/47 lag101 48 1 ASFOE ec:02:73:4e:d4:bc 65534 101 lacp-block
1/1/48 lag101 down
Original Message:
Sent: Nov 15, 2023 02:48 PM
From: parnassus
Subject: ArubaOS CX-8320 LACP lag interface forwarding state " LACP-Blocked"
You can't. A LAG requires that peer device (standalone or not) shows itself as a single logical unit in order to co-terminate LAG's member interface against one logical unit (a cluster of two firewalls - deployed as Active/Active or Active/Standby - doesn't generally presents itself as a single logical unit to peer devices).
What you can do (if needed by design) is to have a LAG 1 from Aruba against Firewall 1 and a LAG 2 from Aruba against Firewall 2, thus two separate LAGs each one with links terminating into one Firewall Cluster member.
Original Message:
Sent: 11/15/2023 7:59:00 AM
From: asi4
Subject: ArubaOS CX-8320 LACP lag interface forwarding state " LACP-Blocked"
Hi,
we have 1 8320 switch, i want to configure LAG connecting 2 firewalls(2 firewalls in cluster)
Interface 1/1/47---FW1
Interface 1/1/48---FW2
below is the config
interface lag 101
no shutdown
no routing
vlan trunk native 1
vlan trunk allowed all
lacp mode active
lacp rate fast
exit
sh run int 1/1/47
interface 1/1/47
mtu 9198
description to Firewall-1
lag 101
exit
nterface 1/1/48
no shutdown
mtu 9198
description to Firewall-2
lag 101
exit
show lacp interface
Actor details of all interfaces:
----------------------------------------------------------------------------------
Intf Aggr Port Port State System-ID System Aggr Forwarding
Name Id Pri Pri Key State
----------------------------------------------------------------------------------
1/1/47 lag101 48 1 ASFOE ec:02:73:4e:d4:bc 65534 101 lacp-block
1/1/48 lag101 49 1 ASFOE ec:02:73:4e:d4:bc 65534 101 lacp-block