Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

PA-445 on PAN-OS 11.1.2-h3

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

PA-445 on PAN-OS 11.1.2-h3

L0 Member

First time posting so please bare with me.

 

Currently running into an issue that looks like a potential bug or an issues specifically with the PA-445 model (Support Case has been submitted and is in the works; but we'll see what happens) Two different PA-445s that we've tested with have shown this issue (both PAs are on PAN-OS 11.1.2-h3). Below is a very basic description of the setup:

 

On PA-445 - OSPF running on interface ethernet1/1 (SFP Port) connected to a Cisco Nexus N9K-C9508 via fiber.

  • on the N9K side, the interface shows "connected" and link appears to be up
  • on PA-445 side (both from CLI and Web GUI) interface ethernet1/1 shows down
  • looking at the system logs, I see a log message for an interface "ethernet1/12" which is what leads me to believe this is a bug because the PA-445 doesn't have an ethernet1/12.

All the troubleshooting I've done is replacing the SFP modules, replacing the fiber patches, trying different ports on the N9K (wish I could try swapping ports on the PA-445, but of course we can't cause there isn't another normal data SFP port available to test with. Who needs a management interface connected via fiber? Anyways...) trying on two separate PA-445s, and nothing. All SFP modules and fiber patches I've tested with work in other devices including other Palo Alto firewall models.

 

All the searching I've done on this kind of issue has proven fruitless. Has anyone else seen this type of thing? Attached is a screenshot of the system log message. When ethernet1/1 is plugged in, this message appeared in the system logs.When ethernet1/1 is plugged in, this message appeared in the system logs.

 

4 REPLIES 4

Cyber Elite
Cyber Elite

@Red_Lobster,

I would recommend opening a support case if you haven't already, but it displaying ethernet1/12 is certainly a bug no matter what. 

I already had one open and they responded back stating the logs showing ethernet1/12 is a known internal issue that will be addressed in PAN-OS 11.1.3 with a release date around mid-May, 2024.

They're still looking into ethernet1/1 not working via SFP.

 

I mainly asked this wondering if anyone else with these model NGFW have ran into any issues like it before I got the response from Support.

L1 Bithead

Hi @Red_Lobster

Did you maybe receive any feedback from support on your issue? 

We picking up a similar / (but not really) issue to yours.

Palo Alto connecting to Cisco switch, with 10GB SFP on both ends its working fine but as soon as you use a 25GB SFP (Palo Alto Approved SFP) on the Palo end the interface on the firewall shows down but up on the Cisco side. The Cisco side cant go 25GB hence the reason its 25GB to 10GB and because they bought 25GB SFP's for the Palo.

We tried using the 25GB SFP in both the 1GB/10GB interfaces and the 10/25GB interfaces but still nothing. 

The interface on the firewall does show "configured but down" and link speed 10000Mbps and Link Duplex Full even though the ports is set to auto so in some way there is some sort of communication but the interface still showing down. 

we tried to force the interface to "up" and the speed to 10000Mbps but still no joy. 

So the reason for my posting is just to find out if this is something similar to your issue and if you received any feedback. We also opened a TAC case so waiting for their response. 

L1 Bithead

Were you able to solve your problem?


Both SFP ports on my PA-455 are not working, I can't get SFPs to be detected.
I tried SFPs from several different manufacturers, but nothing worked.

Tested with different PAN-OS (11.1.2-h3, 11.2.1, 11.2.2-h1).

 

palo-cli-sfp.png

  • 2343 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!