SFP ports between 5 and 8 of PA-800 Series Firewalls does not negotiate after reboot
6632
Created On 01/30/23 14:50 PM - Last Modified 09/29/23 20:43 PM
Symptom
- Ports 1/5 to 1/8 on PA-800 Series Firewalls does not come up after reboot.
- This happens when PAN-SFP-SX fiber optics are used.
- Copper optics (PAN-SFP-CG) does not have any issue.
- The local link comes up and the remote link stays down
- The SFP ports emphasized by red squares are the affected ports. Both PA-850 and PA-820 are affected by this issue.
Environment
- PA-800 Series Firewalls
- Ports 1/5 to 1/8 with Fiber optics.
- PAN-OS 10.1 branch (10.1.8 or earlier)
- PAN-OS 10.2 branch (10.2.3 or earlier)
- PAN-OS 11.0 branch (11.0.0)
Cause
The Firewall side the SFP ports (5 - 8) are not renegotiating with the peer side switch ports.
Resolution
- The issue has been addressed under PAN-207045 in PAN-OS 10.1.9, 10.2.4, and 11.0.1 versions.
- Upgrade of the code to the latest version will resolve the issue.
- Disable/enable of the ports on either side of the link will cause the ports to come up.
- Procedure to disable and enable the ports on the Palo Alto Firewall is given below.
admin@PA-850> configure
Entering configuration mode
admin@PA-850# set network interface ethernet ethernet1/5 link-state down
admin@PA-850# commit
admin@PA-850# set network interface ethernet ethernet1/5 link-state up
admin@PA-850# commit
admin@PA-850# exit