PA-3420 will not detect SFPs on any port

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

PA-3420 will not detect SFPs on any port

L6 Presenter

My backup PA-3420 in an HA peer will not detect SFPs or link on any port (including copper) but the management. The primary unit detects and links on multiple SFP slots with multiple different SFP types and brands. The same SFPs in the backup unit will not detect.

 

adrian.admin@PA_CorpEdge_A(active)> show system state | match sys.s1.p13.capability\|sys.s1.p13.phy

sys.s1.p13.capability: [ auto, 1Gb/s-full, 10Gb/s-full, ]
sys.s1.p13.phy: { 'duration': 3600, 'last-sample': 2024-01-08 15:24:27, 'link-partner': { }, 'media': SFP-Plus-Fiber, 'sfp': { 'ch1': { 'rx-power': 0.00 mW, 'tx-bias': 5.82 mA, 'tx-power': 0.60 mW, }, 'connector': LC, 'diagnostic-monitor': Yes, 'encoding': Reserved, 'ex-spec-compliance-code': 0x0, 'identifier': SFP, 'link-len-km': 0 km, 'link-len-m': 0 m, 'link-len-om1': 30 m, 'link-len-om2': 80 m, 'link-len-om3': 300 m, 'link-len-om4': 0 m, 'rx-power-alarm-hi': 2.00 mW, 'rx-power-alarm-lo': 0.03 mW, 'rx-power-warn-hi': 0.79 mW, 'rx-power-warn-lo': 0.03 mW, 'supply-voltage': 3.32 V, 'temp-alarm-hi': 85.00 C, 'temp-alarm-lo': -5.00 C, 'temp-warn-hi': 80.00 C, 'temp-warn-lo': 0.00 C, 'temperature': 26.48 C, 'transceiver': 10000B-SR, 'tx-bias-alarm-hi': 10.50 mA, 'tx-bias-alarm-lo': 2.50 mA, 'tx-bias-warn-hi': 10.50 mA, 'tx-bias-warn-lo': 2.50 mA, 'tx-power-alarm-hi': 2.00 mW, 'tx-power-alarm-lo': 0.13 mW, 'tx-power-warn-hi': 0.79 mW, 'tx-power-warn-lo': 0.32 mW, 'vendor-name': AVAGO           , 'vendor-part-number': AFBR-709SMZ-NA1 , 'vendor-part-rev': G4.1, 'vendor-serial-number': AA1723300NG    , 'voltage-alarm-hi': 3.60 V, 'voltage-alarm-lo': 3.00 V, 'voltage-warn-hi': 3.46 V, 'voltage-warn-lo': 3.13 V, }, 'type': Ethernet, }

peer.sys.s1.p13.capability: [ auto, 1Gb/s-full, 10Gb/s-full, ]
peer.sys.s1.p13.phy: { 'link-partner': { }, 'media': SFP-Plus-Empty, 'type': Ethernet, }

 

Am I missing something obvious here or is my backup unit broken?

3 REPLIES 3

L6 Presenter

OK... emergency averted... So apparently this is "by design" and seems completely broken-by-design to me. By default, in an HA pair, the backup unit will not initialize or link on any port, copper or SFP, when in a standby state. That means you have no way of knowing if the cables are connected or the SFP works, until the unit becomes the active unit of the HA pair... If also means you have no way of monitoring port status via network management (i.e. WhatsUp/OpenNMS/etc., did someone yank the wrong cable in the last 3 months?) and failing over will take longer because the links have to all initialize/come up before any failover can take place (flap prevention on the far side).

 

The fix is to go Device -> High Availability -> General -> Active/Passive Settings, and change Passive Link State from "Shutdown" to "Auto" on all the HA members.

" So apparently this is "by design" and seems completely broken-by-design to me. "

 

It's not a bad design.  You even mentioned in your final statement you can chose how the firewall behaves.  You have the option to had down the passive firewall dataplane interfaces or to have them be in an up state.

Cyber Elite
Cyber Elite

@Adrian_Jensen,

Just echoing what @Brandon_Wertz mentioned, but it's also the safer default setting that will work for everyone regardless of how they setup their device. It's often not the ideal configuration depending on your configuration, in fact I'd go as far as to say in most cases it isn't ideal, but it is the safest default option to set for everyone. 

  • 1166 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!