Single interface failing LACP negotiation after PAN-OS update

P.Betts — Tue, 05 Aug 2025 16:49:14 GMT

I'm having an issue with a single interface in an aggregate bundle failing LACP negotiations after updating one network's firewalls from PAN-OS 10.2.13 to 11.1.6.

I have two separate networks (Network A and Network B) each with two PA firewalls in Active/Passive HA. I have these firewalls cross connected to each other to provide a transit network between the networks for allowed traffic.

From the active firewall in network A, I have one interface connected to the active firewall in network B; I also have a second interface from the active firewall in network A connected to the passive firewall in network B. The link to the passive firewall in network B is the link that is failing.

Network-A(active) LACP: ********************************************************************************** AE group: ae6 Members: Bndl Rx state Mux state Sel state ethernet1/15 no Current Detached Unselected(Negotiation failed) ethernet1/16 yes Current Tx_Rx Selected Status: Enabled Mode: Active Rate: Slow Max-port: 8 Fast-failover: Disabled Pre-negotiation: Enabled Local: System Priority: 32768 System MAC: 3c:fa:30:92:6c:01 Key: 69 Partner: System Priority: 32768 System MAC: 60:15:2b:7e:82:01 Key: 69 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/15 30 32768 Active Slow 69 0x05 Partner 32 32768 Active Slow 69 0x0D ethernet1/16 31 32768 Active Slow 69 0x3D Partner 32 32768 Active Slow 69 0x3D Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/15 8542 2965 0 0 0 0 0 0 ethernet1/16 8538 8504 0 0 0 0 0 0 Network-A(active)> show lldp neighbors ae6 Local information: Index 30 Local interface: ethernet1/15 Local Port ID: 15 Neighbor information: Chassis type: MAC address Chassis ID: 8c:36:7a:23:5d:66 Port type: Interface name Port ID: ethernet1/17 Port description: Link to Network-B TTL: 115 System name: Network-B(Passive) System description: Palo Alto Networks PA-3400 series firewall System capabilities: Supported: O, P, B, R, Enabled: O, R, Local information: Index 31 Local interface: ethernet1/16 Local Port ID: 16 Neighbor information: Chassis type: MAC address Chassis ID: 8c:36:7a:23:5d:9e Port type: Interface name Port ID: ethernet1/17 Port description: Link to Network-B TTL: 117 System name: Network-B(Active) System description: Palo Alto Networks PA-3400 series firewall System capabilities: Supported: O, P, B, R, Enabled: O, R,

Network B(Passive) LACP: ********************************************************************************** AE group: ae6 Members: Bndl Rx state Mux state Sel state ethernet1/17 no Current Attached Selected ethernet1/18 no Current Detached Unselected(Negotiation failed) Status: Enabled Mode: Active Rate: Slow Max-port: 8 Fast-failover: Disabled Pre-negotiation: Enabled Local: System Priority: 32768 System MAC: 60:15:2b:7e:6d:01 Key: 69 Partner: System Priority: 32768 System MAC: 3c:fa:30:92:6c:01 Key: 69 Port State -------------------------------------------------------------------------------- Interface Port Number Priority Mode Rate Key State -------------------------------------------------------------------------------- ethernet1/17 32 32768 Active Slow 69 0x0D Partner 30 32768 Active Slow 69 0x05 ethernet1/18 33 32768 Active Slow 69 0x05 Partner 30 32768 Active Slow 69 0x0D Port Counters -------------------------------------------------------------------------------- Interface LACPDUs Marker Marker Response Error Sent Recv Sent Recv Sent Recv Unknown Illegal -------------------------------------------------------------------------------- ethernet1/17 2903 2900 0 0 0 0 0 0 ethernet1/18 2903 2899 0 0 0 0 0 0 Network-B(passive)> show lldp neighbors ae6 Local information: Index 32 Local interface: ethernet1/17 Local Port ID: 17 Neighbor information: Chassis type: MAC address Chassis ID: 8c:36:7a:25:1f:76 Port type: Interface name Port ID: ethernet1/15 Port description: Link to Network-A TTL: 100 System name: Network-A(Active) System description: Palo Alto Networks PA-3400 series firewall System capabilities: Supported: O, P, B, R, Enabled: O, R, Local information: Index 33 Local interface: ethernet1/18 Local Port ID: 18 Neighbor information: Chassis type: MAC address Chassis ID: 8c:36:7a:25:1f:8a Port type: Interface name Port ID: ethernet1/15 Port description: Link to Network-A TTL: 99 System name: Network-A(Passive) System description: Palo Alto Networks PA-3400 series firewall System capabilities: Supported: O, P, B, R, Enabled: O, R,

I'm at a complete loss as to why this one interface suddenly keeps failing negotiation.

topic Single interface failing LACP negotiation after PAN-OS update in Next-Generation Firewall Discussions

Single interface failing LACP negotiation after PAN-OS update