When LACP is configured an AE group, system log messages are seen on the firewall indicating one of the physical ports assigned to a given Aggregate Ethernet (AE) interface is taken out of the AE group and then brought back after a minute.
System Log:
2015/03/08 19:55:44 critical lacp ethern nego-fa 0 LACP interface ethernet1/2 moved out of AE-group ae1. Selection state Selected
2015/03/08 19:55:45 critical lacp ethern lacp-up 0 LACP interface ethernet1/2 moved into AE-group ae1.
Environment
Palo Alto Firewall.
LACP (Link Aggregation Control Protocol) configured.
Cause
When an aggregate interface is enabled with LACP, LACP PDU (protocol data unit) messages are exchanged with the peer device to dynamically negotiate LACP parameters and establish or maintain the AE interface status. LACPDU messages are sent from every physical interface member of a given AE group.
The LACP feature has three main state machines: Selection, MUX, and RX.
The RX state machine processes data from received LACPDUs and updates the peer’s state. If no LACPDU messages are received by the peer device for three consecutive intervals, the RX state machine for that interface transitions from CURRENT (operational) to EXPIRED (non-operational) status. This event is logged in the System log as the interface taken out of the AE group.
Resolution
Since the drop of LACP PDUs is causing these flaps, the reasons for these drops need to be troubleshot to resolve the issue.
Identify the Affected Port: Navigate to GUI: Monitor > Logs > System to check which port is being dropped and re-added to the aggregation.
Verify LACP PDU Reception: Use Packet captures to confirm if LACP PDUs are received on the affected port
If LACP PDUs are being received but the issue persists: Check for port or cable issues. Swap the cable or port to isolate potential hardware failures.
Check Dataplane CPU Utilization: If a High dataplane CPU is observed, it may be causing LACP flaps. Investigate system resource utilization and optimize as needed.
Adjust LACP Transmission Rate: If the Transmission Rate of the LACP PDUs is set to Fast, change it to Slow on both the local and the peer devices. On the firewall this setting can be modified using GUI: Network > Interfaces > (select the ae port) > LACP > Transmission Rate.This adjustment can help mitigate latency-related LACP issues.
Troubleshoot the Peer Device: If LACP PDUs are not received on the firewall, this likely indicates that the issue originates from the peer device. Refer to the remote device's vendor documentation for further troubleshooting
Engage Palo Alto Networks Support: If all the above steps fail to resolve the issue, open a support case with Palo Alto Networks.