Virtual wire flaps after Commit or Auto-Commit or FQDN refresh or Wildfire update or Application and Threat update
1495
Created On 05/10/22 09:52 AM - Last Modified 07/29/25 01:43 AM
Symptom
- Virtual Wire (Vwire) is configured with at least one as non-aggregated (bundled eth1/1 and eth1/2 together) or aggregated (bundled ae1 and ae2 together) links.
- This Vwire is configured with Link State as Pass Through.
- When one side of the Vwire link goes down (eth1/1 or ae1) due to a possible cabling/port issue or the port was shut down from the switch side, the firewall will take down the paired (eth1/2 or ae2) interface.
Environment
- Palo Alto Firewall
- Any Supported PAN-OS
- Virtual wire configured.
Cause
- The ideal state of the interface (eth1/2 or ae2) should be in a powered downstate.
- After a Commit or Auto-commit or FQDN refresh or Wildfire update or Application and Threat update on the firewall, the port (ae2 or eth1/2) will be powered up based on port configuration.
- Subsequently, you'll notice that port (ae2 or eth1/2) will be powered down due to the peer port status of down.
- The above scenario will cycle whenever at least one of the mentioned events is executed. For example, FQDN refresh, which by default refreshes every 30 minutes, the flapping will occur twice an hour.
Resolution
- The behavior is as expected.
- If one needs the port flap not to occur then disable the link pass through on the affected VWire. This can be done by:
GUI: Network> Virtual Wires > [your Vwire config] > Link State Pass Through: uncheck> OK > Commit.
Additional Information
Logging VWire Link State Change in the System Logs