Launching soon: The world's first vendor agnostic bug scrubLearn more & join waitlist
OPERATIONAL DEFECT DATABASE
...
...
The Firewall Device Manager (FDM) does not enable auto-negotiation (AN) for port-channel interfaces containing member interfaces with Small Form-factor Pluggable (SFP) transceivers. Depending on the peer device, interface, SFP configuration or type, the port-channel interface may be down on either side. In this example, port-channel interface 1 and Ethernet1/9 with SFP is added as a member interface. After the policy deployment, auto-negotiation for the port-channel interface is disabled: connect fxos .... scope eth-link;scope fabric a;scope port-channel 1;show configuration firepower /eth-uplink/fabric/port-channel # show configuration enter port-channel 1 enable enter member-port 1 9 enable exit set auto-negotiation no <------------ set descr "" set duplex fullduplex set flow-control-policy default set lacp-policy-name default set nw-control-policy default set port-channel-mode active set port-type data set speed 1gbps exit Due to inactive auto-negotiation, the interfaces on the peer device side are in down/down state: SW#show int te1/9 TenGigabitEthernet1/9 is down, line protocol is down (notconnect) <-------- Hardware is Ten Gigabit Ethernet Port, address is a89d.2108.2c68 (bia a89d.2108.2c68) MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec, reliability 255/255, txload 1/255, rxload 1/255
First seen when all of the conditions are true: 1. FDM-managed Secure Firewall Threat Defense (FTD). 2. Port-channel interfaces containing member interfaces with 1G SFP transceivers.
Permanent workaround: Disable negotiation on the peer side. For example, run the speed nonegotiate command under the port-channel interface: C4500(config)#interface port-channel 13 C4500(config-if)#speed ? 10 Force 10 Mbps operation 100 Force 100 Mbps operation nonegotiate Do not negotiate speed C4500(config-if)#speed nonegotiate Temporary workaround: 1. Remove member interfaces (A) from the port-channel interface and temporarily add another interface (B), preferably Ethernet1/x. 2. Deploy policies. At this point, the previous member interfaces (A) will be administratively disabled. 3. Enable the previous member interfaces (A) and deploy policies. At this point, the previous member interfaces usually become administratively and operationally enabled. 4. Remove the temporary interface (B) from the port-channel interface and re-add previous member interfaces (A). Deploy policies. 5. Port-channel and its members administratively and operationally enabled. The above steps must be repeated each time when the port-channel interface is disabled and re-enabled on either peer.
1. If auto-negotiation is mismatched between the peer device, the member interfaces may be down/down on one peer, while up/up on the other peer. 2. If the same FTD becomes managed by the Secure Firewall Management Center (FMC), in contrast to FDM, auto-negotiation for the port-channel interface is enabled. 3. The symptoms of this defect are not observed in port-channel interfaces with non-SFP members, such as builtin interfaces Eth1/x with RJ45.