The system log on the Palo Alto Networks firewall generated a message that says one of the physical ports assigned to a given Aggregate Ethernet (AE) interface was taken out of the AE group and then brought back after a minute.
2015/03/08 19:55:44 critical lacp ethern nego-fa 0 LACP interface ethernet1/2 moved out of AE-group ae1. Selection state Selected 2015/03/08 19:55:45 critical lacp ethern lacp-up 0 LACP interface ethernet1/2 moved into AE-group ae1.
The aggregate interface has auto LACP enabled, which means that LACPDU messages are exchanged with a peer to dynamically negotiate LACP parameters and establish and maintain the AE interface status. LACPDU messages are sent out of every physical interface member of any given AE group.
LACP feature has 3 main state machines: Selection, MUX, and RX machine.
The RX machine examines data in the received LACPDUs and updates the peer’s state. If no LACPDU messages have been received by the peer device during the past 3 intervals the RX state machine for the given interface goes from CURRENT (operational) to EXPIRED (non-operational) status. This activity appears in the System log as an interface taken out of the AE group.
The firewall has a dedicated daemon on MP plane for LACP protocol called “l2ctrld.” Logs generated are stored in l2ctrld.log file in the var/log/pan folder. In the var/log/pan/ l2ctrld.log file you can see the following entries: