How to Troubleshoot Aggregated Ethernet Interface Down
335
Created On 02/19/26 17:03 PM - Last Modified 02/25/26 18:48 PM
Objective
Troubleshooting an Aggregate Ethernet (AE) interface involves checking the configuration, the LACP state machine, and the Hardware layer.
Environment
- NGFW
- AE interface
Procedure
-
Verify Physical Link State:
- Log into the firewall's CLI and run the command:
show interface ae<x>- Example:
> show interface ae4 -------------------------------------------------------------------------------- Name: ae4, ID: 19 Link status: Runtime link speed/duplex/state: unknown/unknown/down Configured link speed/duplex/state: auto/auto/auto MAC address: Port MAC address b4:0c:25:e2:40:13 Aggregate group members: 2 ethernet1/15 ethernet1/16 Operation mode: layer3 Untagged sub-interface support: no -------------------------------------------------------------------------------- Name: ae4, ID: 19 Operation mode: layer3 Interface management profile: N/A Service configured: LACP Zone: N/A, virtual system: vsys1 Adjust TCP MSS: no Policing: no Proxy protocol: no -------------------------------------------------------------------------------- -------------------------------------------------------------------------------- Physical port counters read from MAC: -------------------------------------------------------------------------------- rx-broadcast 0 rx-bytes 15668224 rx-multicast 124270 rx-unicast 0 tx-broadcast 0 tx-bytes 14722131 tx-multicast 115278 tx-unicast 0 -------------------------------------------------------------------------------- Hardware interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 0 bytes transmitted 3222717 packets received 0 packets transmitted 22802 receive incoming errors 0 receive discarded 0 receive errors 0 packets dropped 0 -------------------------------------------------------------------------------- Logical interface counters read from CPU: -------------------------------------------------------------------------------- bytes received 0 bytes transmitted 14262983 packets received 0 packets transmitted 115295 receive errors 0 packets dropped 0 packets dropped by flow state check 0 forwarding errors 0 no route 0 arp not found 0 neighbor not found 0 neighbor info pending 0 mac not found 0 packets routed to different zone 0 land attacks 0 ping-of-death attacks 0 teardrop attacks 0 ip spoof attacks 0 mac spoof attacks 0 ICMP fragment 0 layer2 encapsulated packets 0 layer2 decapsulated packets 0 tcp cps 0 udp cps 0 sctp cps 0 other cps 0 --------------------------------------------------------------------------------
- Example:
- Examine the state of the individual physical interfaces that are members of the bundle. Identify which ones are down. If none is down, move to step 2.
- Inspect the physical connections for these down interfaces. Check for disconnected or damaged cables, SFP/transceiver issues, and the status lights on both the firewall and the connected device (e.g., a switch).
- For more information on these troubleshooting steps, refer to How to troubleshoot physical port flap or link down issue.
- Log into the firewall's CLI and run the command:
-
Investigate LACP Status (if configured): This can be checked in the command > show interface ae<x> section Service configured.
Service configured: LACP- If you are using LACP, run the following command to check the LACP state for each member link:
show lacp aggregate-ethernet <ae_interface_name>- Example:
AE group: ae4 Members: Bndl Rx state Mux state Sel state ethernet1/15 no Current Attached Selected ethernet1/16 no Current Detached Unselected(Negotiation failed) Status: Enabled Mode: Active Rate: Fast Max-port: 8 Fast-failover: Enabled Pre-negotiation: Enabled Local: System Priority: 32768 System MAC: 84:d4:12:b9:00:01 Key: 19 Partner: System Priority: 32768 System MAC: 24:d5:e4:0f:ed:60 Key: 14 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/15 78 32768 Active Fast 19 0x0F Partner 782 32768 Active Fast 14 0x07 ethernet1/16 79 32768 Active Fast 19 0x07 Partner 1292 32768 Active Fast 13 0x07 Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/15 56517 61067 0 0 0 0 0 0 ethernet1/16 56553 61108 0 0 0 0 0 0
- Example:
- Look for any member ports that have failed to bundle correctly or are in a non-active state. This often points to a configuration mismatch between the firewall and the peer device.
- Members section details the state of each physical interface within the aggregate group.
- Bndl (Bundled): Indicates if the member interface is part of the active LACP bundle. yes means it is successfully bundled; no indicates an issue.
- Rx state: Shows the state of the receiving machine for the interface. Current is the expected state for a working link.
A state of Defaulted can indicate a problem, such as a peer not being detected. - Mux state (Multiplexer state): This reveals whether the interface is actively participating in traffic. Attached or Tx_Rx (transmitting and receiving) is the desired state.
A Detached state means the interface is not part of the aggregated link and does not pass traffic. - Sel state (Selection state): Selected means the port has been chosen by the LACP process to be part of the aggregate group.
Unselected often points to a problem like "Peer not detected" or "Link down".
- Status, Mode, and Rate:
- Status: Must be Enabled for LACP to function.
- Mode: Can be Active or Passive. It's recommended to have one side Active and the other Passive. Two Passive peers cannot form an LACP bundle.
- Rate: Can be Fast (1 second) or Slow (30 seconds). Mismatched rates between partners can cause flapping issues.
- Local and Partner Information:
- System MAC: The unique MAC address for the local system and the partner system. A partner MAC of 00:00:00:00:00:00 indicates that no LACP PDUs are being received from the peer, pointing to a connectivity or configuration issue.
- System Priority: Used in LACP negotiation.
- For more information on these troubleshooting steps, refer to How to troubleshoot LACP going down or flap issue.
- Members section details the state of each physical interface within the aggregate group.
- If you are using LACP, run the following command to check the LACP state for each member link:
- Review Logs:
- Check the firewall's system logs for events related to the interface going down. This can provide clues about whether it was a physical link failure, a software event, or an LACP issue.
- On the connected peer device (e.g., a switch), check its logs for corresponding interface-down or LACP negotiation failure messages.