SOLVED
What is the output of the display link-aggregation verbose bridge-aggregation1 command?
Which type of Firewall are you exactly using (Doesn't it support LACP)?
What is the Trunk configuration Firewall side?
Why aren't you setting up a Dynamic Trunk (LACP) instead of a Static Trunk (Non-Protocol)?
Are the interfaces Gigabit Ethernet 1/0/32 and Gigabit Ethernet 2/0/32 "near" (of the same "group" of) the physical ports used to form the Logical IRF port of the IRF Stack?
I'm not an HPE Employee
I second @VoIP-Buddy about LACP versus Non Protocol link aggregation: if the device you're uplinking to with a port trunking does support LACP go with LACP.
I'm not an HPE Employee
WimV wrote: The firewall supports LACP but according our security partner is shouldn't be needed. I gave it a try with LACP but with the same result. (Switch Active / FW passive).
Interesting statement/recommendation the one provided you by your Security Partner!
Which justifications they provided about that choice?
If I were you I will follow what was written above by @VoIP-Buddy.
The fact you tried also with LACP (Dynamic) Port Trunking other than trying with Non Protocol (Static) Port Trunking...and, in both cases, it didn't work...is possible a signal of probable misconfiguration IRF Stack side/Firewall side or on both sides:
- You haven't followed the proper Port Trunking (LAG) setup as described for Comware based units (reference: your product Documentation) --> could you share (sanitized) configuration file of your IRF Stack?
- Firewall side there is an issue/misconfiguration. You didn't show us which (sanitized) configuration the Firewall has with regard to its Port Trunking facing the IRF Stack.
WimV wrote: the port of the link aggregation are on different members of the IRF stack. I'll check if it will be a difference when we use two port on the same physical switch...
There should not.
Since a properly configured IRF Stack creates a single virtual logical switch to downstream/upstream devices (the Firewall, in your case) those devices will see a single logical switch SO termination of a LAG (LACP/Non-Protocol, doesn't matter) which is originating on those devices should be irrelevant from the point of view of the physical ports to which that LAG terminates its links: in other terms, with IRF properly running, you can (a) terminate a LAG on physical ports residing on different IRF members (sort of load balancing in case against SPoF) or (b) terminate a LAG on ports residing all on the same IRF member.
Clearly, considering IRF and Firewall sides, configured LAGs need to be properly configured.
As you see from the command output...using the Non-Protocol (Static) provides very few information (especially regarding the "paired" device, your Firewall) with respect to what is provided by using LACP (test it!).
I'm not an HPE Employee