LACP interface ethernet1/24 moved out of AE-group ae1

Showing results for 
Show  only  | Search instead for 
Did you mean: 

LACP interface ethernet1/24 moved out of AE-group ae1

L3 Networker

Hi Guys,

We are getting "LACP interface ethernet1/24 moved out of AE-group ae1" through syslog (emailed) multiple times in a day on PA 3410 running on PAN OS 10.2.3 in HA active/passive. The switch in use is Aruba 8320

Interesting the same msg is received from the passive device too (whereas its interface is in shutdown  mode)

l2ctrld.log has no error message and there is no other error msgs on the system logs. The ports seem to be working fine too.

Below is the last msg from the  l2ctrld.log


The ehmon brdagent logs have no errors related to this port 1/24.

Only thing is that this FW was replaced recently. (although the error started to come only after a month or so from migration). The Switch seems  to  be populating no errors too.

The only other error msgs i see is of "Hardware session Offloading disabled" (Although, I believe this has nothing to do with this LACP port moving out of the group)

Interesting the alerts also do not get disabled: (configuring below has no change in the alert-  I am wondering if this msg is from FW although the alert msg says it's coming from the FW)



Many Thanks,






L3 Networker

Hi @BPry ,

Even with the Port on the FW shutdown, we are still getting the "ethernet1/24 moved out of AE-group ae1" error. 😞

Cyber Elite
Cyber Elite


Just to verify; when you say that you're getting alerts through syslog emailed to you, you simply mean through your log- settings you have it set to email you correct? Do you have the system emailing you directly, or do you pass this to a SIEM and have that emailing you alerts?


I've answered this assuming that it's the first and that you have the firewall emailing you system-critical alerts and not passing those alerts through a SIEM. As long as that's the case, I think you'll have to open a TAC case and see if you aren't running into some sort of weird bug. The fact that you're still getting alerts when you've negated the subtype is just weird, and it shouldn't be happening.

Lastly have you verified that the alerts you're getting are actually present in the system logs? Just verifying that something hasn't gotten "stuck" and keeps resending alerts that the firewall itself isn't actually identifying. 

L3 Networker


Yes that is correct, there is no SIEM just the alerts sent directly through email.

There are no alerts in the logs surprisingly. 

Cyber Elite
Cyber Elite


If you aren't seeing the associated log on the device itself, it sounds like something with the log-receiver process is just continually stuck processing. You can try restarting that process itself via the 'debug software restart process log-receiver' and seeing if that clears things up if you haven't tried that already.

I've assumed that you've tried restarting both units to see if it clears things, but if not that would be my next step. If neither of those things work I'd definitely pass this to TAC to help troubleshoot. You shouldn't be getting email notices if you don't have an associated system log, so something is definitely not being processed properly. 

L3 Networker


Reboot resolved the issue 😄

Thanks a lot for your help and suggestions

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!