ION 3000 - Secure Fabric tunnel down with reason "FC is down in the Hub"

ION 3000 - Secure Fabric tunnel down with reason "FC is down in the Hub"

1000
Created On 04/19/23 07:54 AM - Last Modified 04/23/25 22:46 PM


Symptom


  • Secure Fabric tunnels are unable to form between the Branch & DC (Data Center).
  • Reason for the Secure Fabric tunnel down "FC (flow-ctrl) is down in the Hub"
# dump vpn summary  all
VepID                Circuit-local                  Circuit-Remote                 Remote-Site     VpnType         Interface       SrcIP                DstIP
          Status Active
1681811360796015227  SINET-PRIVATE                  SINET-PRIVATE                  DR-SITE         private         1               x.x.x.x       x.x.x.x.
251       Up    false
1681811361091018527  SINET-PRIVATE                  SINET-PRIVATE                  DC-SITE         private         1               x.x.x.x       x.x.x.x.
241       Up    false

# dump vpn status VpnID=1681811361091018527
VEP ID: 1681811361091018527
  vpnlink_id: 1681811361091018827
  local_ipv4: x.x.x.x
  remote_ipv4: x.x.x.x
  local_shim_ipv4: 100.64.0.117
  remote_shim_ipv4: 100.64.0.118
  peer_vep_id: 1681811361091018627
  admin_up: true
  devname: e900
  type: private
  status: Up
  active: false
  usable: false
  cipher: aes-256-cbc
  link if_id: vpn34
  Spi: 3057332246
  next_key_rotation: Wed Apr 19 08:15:57 UTC 2023
  OutBytes: 36296 OutPackets: 1396
  InBytes: 33456 InPackets: 1394
Link is "Up"(21:35:27).
Link is "Not Usable". Reason: FC is down in the Hub.
Remote IP & Port: x.x.x.x:4500


Environment


  • Prisma SD-WAN ION 3000
  • Secure Fabric Tunnels

Cause


  • ION 3000 in the hub is using pre 6.x version.
  • For ION 3000 to be used as a hub, 6.x version must be installed.
  • The command "dump overview" will display the software/hardware being used.
  • In this case, the ION 3000 used on the Hub is running 5.6.11-b2 code and so cannot be used as a HUB device.
# dump overview
Software                                        : 5.6.11-b2
Hardware Model                                  : ion 3000

# debug process status all
ase                              RUNNING   pid 4403, uptime 21:32:13
ave_register                     RUNNING   pid 4407, uptime 21:32:13
bfdd-beacon                      RUNNING   pid 4485, uptime 21:32:13
blobfish                         RUNNING   pid 4458, uptime 21:32:13
bwm_server                       RUNNING   pid 5878, uptime 21:32:07
cg_super_event_listener          RUNNING   pid 4390, uptime 21:32:13
cgnxinfra                        RUNNING   pid 4469, uptime 21:32:13
dns                              RUNNING   pid 6921, uptime 21:32:04
dup_ip                           RUNNING   pid 4445, uptime 21:32:13
elapi                            RUNNING   pid 4478, uptime 21:32:13
elmgr                            RUNNING   pid 4395, uptime 21:32:13
em_stats                         RUNNING   pid 4430, uptime 21:32:13
evd                              RUNNING   pid 4391, uptime 21:32:13
event_forward                    RUNNING   pid 4392, uptime 21:32:13
event_monitor                    RUNNING   pid 4466, uptime 21:32:13
fatal_state_handler              RUNNING   pid 4393, uptime 21:32:13
fc                               FATAL     Exited too quickly (process log may have details)


 

Resolution


  1. Upgrade the ION 3000 device to Software version to 6.x or higher.
  2. Starting with Release 6.0.1, Prisma SD-WAN ION 3000 device can be used in a data center site, which can be useful for smaller deployments.
  3. Current supported version is 6.1.x.

Additional Information


 
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000kHiDCAU&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail