@OtakarKlier, yes and no. We have open tickets with PAN and the carriers involved. We have 12 sites and have over the last year replaced all the previous firewalls with PAN 3020s. During this same timeframe we have been performing circuit upgrades on both MPLS and IPSEC (internet), we still have one MPLS and one IPSEC to convert actually. ISP upgrades (all MPLS and some IPSEC) have included Ciena switches on copper ports (CLink has been replacing most of their existing equipment and not doing bandwidth upgrades on existing). We first turned all the sites up on the IPSEC and towards the end have been moving the primary internal connections to the MPLS (due to the ratio of sites on the new vs old firewalls and one MPLS circuit). I have dealt with Cienas before but always on fiber, never copper. Yes, the majority of the connections have been running 100/Half. Setting the MPLS ports to 100/Full with all the new Cienas has fixed most of the problems (there are some sites we are sure are carrier problems now). The difficulty on this was the upgrade disparity of both firewall and bandwidth, along with the sporadic reporting/duration from users. We have not been in the CLI checking physical ports in months as early on negotiation seemed fine. Nothing in the GUI or our reporting tools showed interface problems and there were no errors or excessive drops on ports. We saw some circuit problems before we did the PAN upgrades but most showed up after the PAN upgrades. Unfortunately the metrics that are monitored don't show high bandwidth limitations (things like ping for example). We had to rely on the end users complaints and provided timeframes. Usage per site was also a factor on whether users noticed or not. Reports of this user but not that user having problems also made us look at internal networking. It wasn't till recently we started reporting on backup timeframes and iperf logging, this also correlated with Citrix scanning and printing (scanning from site to Citrix while printing was from Citrix to site). On IPSEC scanning was bad (inconsistently) and on MPLS printing was bad (inconsistently). Our primary site is on a Ciena for MPLS but on a Cisco for IPSEC, this site never saw IPSEC problems. An annoying side note. Because we checked port configurations early on and did not see negotiation problems we did not go back to it because there were no other L1 interface problems. All other conversations (ISPs, PAN support, etc) related to this have not come back to this either (CLink didn't even bring it up during the upgrades). When I checked the ports based on @pulukas suggestion I didn't initially check the negotiation, I checked the errors/drops. In the GUI you can see the interface status, either on the dashboard (if you have the Interfaces widget added) or under networking -> interfaces -> ethernet. In both cases mouse over the interface and a popup will show the stats, I have looked for this since we figured out the problem (interfaces will be Green if connected or Red if not, there is no Yellow/Orange for "UP but problems").
... View more