What to check if an interface with SFP Plus module is showing down

44592

Created On 01/26/21 17:55 PM - Last Modified 04/30/21 03:01 AM

CLI

Advisory

Best Practice

Deployment

Hardware

Initial Configuration

Installation

Network Integration

8.1

9.0

9.1

10.0

Hardware

PAN-OS

Symptom

The SFP+ module is compatible with our firewalls. To check whether an SFP/SFP+ module is compatible with our firewalls, please refer to How To Confirm If Your SFP Transceiver Is Supported By Palo Alto Networks Firewall
The physical LED (if available) of the relevant SFP+ port is blinking.

The media type is SFP+ (replace XX with the port number in the subsequent commands e.g. Port 13 refers to ethernet interface 1/13 of the firewall):

> show system state filter-pretty sys.s1.pXX.phy
  sys.s1.pXX.phy: { link-partner: { }, media: SFP-Plus-Fiber, sfp: { connector: LC, encoding: Reserved, identifier: SFP, 
  transceiver:, vendor-name: AVAGO, vendor-part-number: AFBR-709SMZ, vendor-part-rev: G4.1, }, type: Ethernet, }

The Link Status of the ethernet interface for the corresponding SFP+ port is showing 'Down' on the firewall:

> show system state filter-pretty sys.s1.pXX.status
  sys.s1.pXX.status: { 'farloop': False, 'link': Down, 'mode': Autoneg, 'mru': 1856, 'nearloop': False, 'pause-frames': True,
  'setting': 1Gb/s-full, 'type': SFP, }

The state of the port is not appropriate due to an invalid SFP+ module:

> show system state filter-pretty sys.s1.pXX.state 
  sys.s1.pXX.state: board_port_sfp_invalid_0.

Environment

Any hardware firewall (except the PA-7000 series) that has dedicated SFP+ ports.
Any PAN-OS.
An SFP+ module/transceiver correctly plugged in one of the firewall ports.
The corresponding interface is configured on the firewall.

Cause

A common reason is when the SFP+ module is not being inserted in the correct firewall port.

Resolution

Verify the firewall model/series:
```
> show system info
  model: PA-3220
```
Go to our Hardware reference guides and open the Hardware reference for the respective firewall series.
Under the Front Panel description, look for the SFP ports component on the table:

Read the description to determine which ports are reserved for SFP and SFP+ modules. (In this instance, for our PA-3220 platform: Ports 13 through 16 are SFP (1Gbps) and ports 17 through 20 are SFP or SFP+ (10Gbps) based on the installed transceiver).
Insert SFP+ module in the correct port.

Additional Information

As a good practice, the correct port number should be identified before inserting the module.
If it is an Active/Passive High availability deployment, the interface status of the Active device should be considered (Unless the Passive link state is set to UP).
For the purpose of demonstration, the 3200 series is only used as an example here.