LACP interface ethernet1/24 moved out of AE-group ae1

paragkarki143 · ‎01-08-2023

Hi Guys,

We are getting "LACP interface ethernet1/24 moved out of AE-group ae1" through syslog (emailed) multiple times in a day on PA 3410 running on PAN OS 10.2.3 in HA active/passive. The switch in use is Aruba 8320

Interesting the same msg is received from the passive device too (whereas its interface is in shutdown mode)

l2ctrld.log has no error message and there is no other error msgs on the system logs. The ports seem to be working fine too.

Below is the last msg from the l2ctrld.log

The ehmon brdagent logs have no errors related to this port 1/24.

Only thing is that this FW was replaced recently. (although the error started to come only after a month or so from migration). The Switch seems to be populating no errors too.

The only other error msgs i see is of "Hardware session Offloading disabled" (Although, I believe this has nothing to do with this LACP port moving out of the group)

Interesting the alerts also do not get disabled: (configuring below has no change in the alert- I am wondering if this msg is from FW although the alert msg says it's coming from the FW)

Many Thanks,

@SteveCantwell

@OtakarKlier

@BPry

paragkarki143 · ‎01-30-2023

Hi @BPry ,

Even with the Port on the FW shutdown, we are still getting the "ethernet1/24 moved out of AE-group ae1" error. 😞

BPry · ‎01-31-2023

@paragkarki143,

Just to verify; when you say that you're getting alerts through syslog emailed to you, you simply mean through your log- settings you have it set to email you correct? Do you have the system emailing you directly, or do you pass this to a SIEM and have that emailing you alerts?

I've answered this assuming that it's the first and that you have the firewall emailing you system-critical alerts and not passing those alerts through a SIEM. As long as that's the case, I think you'll have to open a TAC case and see if you aren't running into some sort of weird bug. The fact that you're still getting alerts when you've negated the subtype is just weird, and it shouldn't be happening.

Lastly have you verified that the alerts you're getting are actually present in the system logs? Just verifying that something hasn't gotten "stuck" and keeps resending alerts that the firewall itself isn't actually identifying.

paragkarki143 · ‎02-02-2023

@BPry

Yes that is correct, there is no SIEM just the alerts sent directly through email.

There are no alerts in the logs surprisingly.

BPry · ‎02-03-2023

@paragkarki143,

If you aren't seeing the associated log on the device itself, it sounds like something with the log-receiver process is just continually stuck processing. You can try restarting that process itself via the 'debug software restart process log-receiver' and seeing if that clears things up if you haven't tried that already.

I've assumed that you've tried restarting both units to see if it clears things, but if not that would be my next step. If neither of those things work I'd definitely pass this to TAC to help troubleshoot. You shouldn't be getting email notices if you don't have an associated system log, so something is definitely not being processed properly.

paragkarki143 · ‎02-05-2023

@BPry

Reboot resolved the issue 😄

Thanks a lot for your help and suggestions

LACP interface ethernet1/24 moved out of AE-group ae1

LACP interface ethernet1/24 moved out of AE-group ae1

Show your appreciation!