Physical port is taken out of aggregate ethernet interface in LACP auto mode

Physical port is taken out of aggregate ethernet interface in LACP auto mode

94707
Created On 09/25/18 19:38 PM - Last Modified 12/15/23 17:45 PM


Symptom


When LACP is configured an AE group, system log messages are seen on the firewall indicating  one of the physical ports assigned to a given Aggregate Ethernet (AE) interface is taken out of the AE group and then brought back after a minute.

System Log:

2015/03/08 19:55:44 critical lacp    ethern nego-fa 0  LACP interface ethernet1/2 moved out of AE-group ae1. Selection state Selected
2015/03/08 19:55:45 critical lacp    ethern lacp-up 0  LACP interface ethernet1/2 moved into AE-group ae1.


 

Environment


  • PAN-OS 7.1 and above.
  • Palo Alto Firewall. 
  • LACP (Link Aggregation Control Protocol) configured.

Cause


When the aggregate interface is enabled with LACP,  LACP PDU (protocol data unit) messages are exchanged with a peer to dynamically negotiate LACP parameters and establish and maintain the AE interface status. LACPDU messages are sent out of every physical interface member of any given AE group.

LACP feature has 3 main state machines: Selection, MUX, and RX machine.

The RX machine examines data in the received LACPDUs and updates the peer’s state. If no LACPDU messages have been received by the peer device during the past 3 intervals the RX state machine for the given interface goes from CURRENT (operational) to EXPIRED (non-operational) status. This activity appears in the System log as an interface taken out of the AE group.

Resolution


Since the drop of LACP PDUs is causing these flaps, the reasons for these drops need to be troubleshot to resolve the issue.

  1. Identify the Port that is being dropped out and added back to the aggregation using GUI: Monitor > Logs > System
  2. Using Packet captures, verify if the LACP PDUs are being received on the affected port. 
  3. If the packets are being received but still the issue is seen, Isolate the port or cable issues on the port by troubleshooting the same.
  4. If the issue continues, check if any High dataplane CPU is causing the LACP flaps.
  5. If the Transmission Rate of the LACP PDUs is set to Fast, Change the settings on both the local and the Peer device to be Slow. On the firewall this setting can be modified using GUI: Network > Interfaces > (select the ae port) > LACP > Transmission Rate. This will help in the case of latency issues.
  6. If the LACP PDUs are not being received on the firewall, the Issue on the Peer devices needs to be troubleshot. Refer remote device vendors documentation to troubleshoot the same.
  7. If all the above fails, Open a case with Palo Alto Support.
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/kcSArticleDetail?id=kA10g000000ClaY&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FkcSArticleDetail

Choose Language