This website uses Cookies. By clicking Accept, you agree to the storing of cookies on your device to enhance your community and translation experience. Read our Privacy Policy.
Click Preferences to customize your cookie settings.
Accept
Reject
Preferences

Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

LACP interface ethernet1/24 moved out of AE-group ae1

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

LACP interface ethernet1/24 moved out of AE-group ae1

Go to solution
Pras
L4 Transporter

‎01-08-2023 08:12 PM - edited ‎01-10-2023 02:39 PM

Hi Guys,

We are getting "LACP interface ethernet1/24 moved out of AE-group ae1" through syslog (emailed) multiple times in a day on PA 3410 running on PAN OS 10.2.3 in HA active/passive. The switch in use is Aruba 8320

Interesting the same msg is received from the passive device too (whereas its interface is in shutdown  mode)

l2ctrld.log has no error message and there is no other error msgs on the system logs. The ports seem to be working fine too.

Below is the last msg from the  l2ctrld.log

paragkarki143_0-1673237010186.png

The ehmon brdagent logs have no errors related to this port 1/24.

Only thing is that this FW was replaced recently. (although the error started to come only after a month or so from migration). The Switch seems  to  be populating no errors too.

The only other error msgs i see is of "Hardware session Offloading disabled" (Although, I believe this has nothing to do with this LACP port moving out of the group)

Interesting the alerts also do not get disabled: (configuring below has no change in the alert-  I am wondering if this msg is from FW although the alert msg says it's coming from the FW)

paragkarki143_0-1673328417388.png

 

Many Thanks,

 

@S.Cantwell 

@OtakarKlier 

@BPry 

PrasKtmBoy
0 Likes Likes
1 accepted solution

Accepted Solutions

Go to solution
BPry
Cyber Elite
Cyber Elite

‎02-03-2023 09:58 AM

@Pras,

If you aren't seeing the associated log on the device itself, it sounds like something with the log-receiver process is just continually stuck processing. You can try restarting that process itself via the 'debug software restart process log-receiver' and seeing if that clears things up if you haven't tried that already.

I've assumed that you've tried restarting both units to see if it clears things, but if not that would be my next step. If neither of those things work I'd definitely pass this to TAC to help troubleshoot. You shouldn't be getting email notices if you don't have an associated system log, so something is definitely not being processed properly. 

View solution in original post

0 Likes Likes
9 REPLIES 9

Go to solution
kiwi
Community Team Member

‎01-11-2023 02:00 AM - edited ‎01-11-2023 02:02 AM

Hi @Pras ,

 

Can you check the LACP logs ? Please check if the links are leaving (changing states in) the LAG because of missed LACPDUs from the peer.

 

This could be a result of the transmission rate mismatch between the peers. Fast mode is very sensitive to the network churn and if no LACPDUs are received for 3 seconds, LACP will go down.

 

You can set the LACP transmission rate to Slow as to not miss PDUs or LACP updates which is set to a fairly sensitive setting in Fast Mode.

 

Hope this helps.

-Kiwi.

 
LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.
0 Likes Likes

Go to solution
Pras
L4 Transporter
In response to kiwi

‎01-11-2023 01:59 PM - edited ‎01-11-2023 02:03 PM

Hi @kiwi 

Thanks for the reply.

There are no missed LACPDU's and the LACP Tx rate is slow.  Peer is an  Aruba switch.

We receive "

LACP interface ethernet1/24 moved out of AE-group ae1. Selection state Unselected(Link down)

constantly" and strangely there are no logs generated in the Firewall (System/monitor logs)

l2ctrld log has below(the whole pattern in curly bracket is repeats with no other errors in-between), and I wonder if this this is the syncing msg to the passive device.

Interestingly, the passive FW is also throwing the same error where as to the ports (ethernet ports) are not even up. I do not see any bugs of such kind reported either.

 

paragkarki143_1-1673474196172.png

Any help will be much appreciated.

Many Thanks,

 

PrasKtmBoy
0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-11-2023 02:11 PM

@Pras,

The alert filter that you have setup under your 'system-critical' entry should definitely be preventing the firewall from sending you alerts about these lacp-up/link-down events. 

 

Was their a period that the 3410 was functioning without these messages properly, or did they show up as soon as you installed the 3410? 

0 Likes Likes

Go to solution
Pras
L4 Transporter
In response to BPry

‎01-11-2023 02:16 PM

Hi @BPry 

Thanks for the reply. These were installed on early Dec and were working fine until the start of Jan when the msgs started popping out. I m very surprised that the filters are not blocking the msgs and the errors are coming from the passive FW too (eth ports are not even up).

Many Thanks,

 

PrasKtmBoy
0 Likes Likes

Go to solution
Pras
L4 Transporter

‎01-30-2023 01:51 PM

Hi @BPry ,

Even with the Port on the FW shutdown, we are still getting the "ethernet1/24 moved out of AE-group ae1" error. 😞

PrasKtmBoy
0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎01-31-2023 06:37 AM

@Pras,

Just to verify; when you say that you're getting alerts through syslog emailed to you, you simply mean through your log- settings you have it set to email you correct? Do you have the system emailing you directly, or do you pass this to a SIEM and have that emailing you alerts?

 

I've answered this assuming that it's the first and that you have the firewall emailing you system-critical alerts and not passing those alerts through a SIEM. As long as that's the case, I think you'll have to open a TAC case and see if you aren't running into some sort of weird bug. The fact that you're still getting alerts when you've negated the subtype is just weird, and it shouldn't be happening.

Lastly have you verified that the alerts you're getting are actually present in the system logs? Just verifying that something hasn't gotten "stuck" and keeps resending alerts that the firewall itself isn't actually identifying. 

0 Likes Likes

Go to solution
Pras
L4 Transporter

‎02-02-2023 08:58 PM

@BPry 

Yes that is correct, there is no SIEM just the alerts sent directly through email.

There are no alerts in the logs surprisingly. 

PrasKtmBoy
0 Likes Likes

Go to solution
BPry
Cyber Elite
Cyber Elite

‎02-03-2023 09:58 AM

@Pras,

If you aren't seeing the associated log on the device itself, it sounds like something with the log-receiver process is just continually stuck processing. You can try restarting that process itself via the 'debug software restart process log-receiver' and seeing if that clears things up if you haven't tried that already.

I've assumed that you've tried restarting both units to see if it clears things, but if not that would be my next step. If neither of those things work I'd definitely pass this to TAC to help troubleshoot. You shouldn't be getting email notices if you don't have an associated system log, so something is definitely not being processed properly. 

0 Likes Likes

Go to solution
Pras
L4 Transporter

‎02-05-2023 06:24 PM

@BPry 

Reboot resolved the issue 😄

Thanks a lot for your help and suggestions

PrasKtmBoy
0 Likes Likes
  • 1 accepted solution
  • 10023 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

LEGAL NOTICES
RESOURCES
Khoros awards 2022
Copyright 2007 - 2024 - Palo Alto Networks