7 Replies Latest reply on Mar 27, 2015 12:59 PM by sliedl

    S2008 Hardware Errors

    grinder

      I changed my firewall configuration to use Link Aggregation.  I am using multiple interface ports as a single interface to accommodate bandwidth. Once I did that I get hardware errors in the audit logs.  See below.  Also, if I reboot the appliance the LAG interface does not come up.  I have to unplug all ethernet cables that make up the LAG interface.  Then plug them in one at a time.  Sometimes this works sometimes not.  Sometimes it requires removing power from the appliance and restarting it to make it work correctly.  I never had any issues like this until I started using LAG for an interface.  Anyone else seen this before?  Anyone else using LAG successfully?

       

      I am running software version 8.3.2 Patch 06

       

      Error Message:

       

       

      2015-03-13 21:54:18 -0700 f_ipmi_daemon a_server t_hardware_failure p_critical

      pid: 1481 logid: 0 cmd: 'ipmid' hostname: MYFIREWALL

      comp_class: PhysSec comp_name: ipmi

      information: Fri Mar 13 21:54:17 2015  Physical Security (Chassis Intrusion) sensor 0x4: LAN Leash Lost asserted. LAN leash lost on NIC #255.  (raw data, starting with byte 1: 0x2 0x0 0x2 0xFA 0xBE 0x3 0x55 0x20 0x0 0x4 0x5 0x4 0x6F 0x4 0xFF 0xFF)

        • 1. Re: S2008 Hardware Errors
          sliedl

          The audit message you pasted means you unplugged the dedicated management port of this firewall, that's all.

          "LAN Leash Lost asserted" means you unplugged the cable from that port.
          "LAN Leash Lost deasserted" means you plugged the cable back into that port.

           

          Make sure you are not trying to use the mgr1 port for regular traffic (like this LAGG interface).

          • 2. Re: S2008 Hardware Errors
            grinder

            I find this strange as I never removed the management interface cable.

             

            What would cause the LAG ports to not work one a reboot unless I remove all the cables and plug them in one at a time about a minute apart?

            • 3. Re: S2008 Hardware Errors
              sliedl

              If the port simply loses link it may trigger that audit also.

               

              I don't have any guesses for your second question.  I suggest looking at tcpdumps and the audit and investigating the switch you are plugging the firewall into for any errors also.

              • 4. Re: S2008 Hardware Errors
                grinder

                This is a new Cisco switch setup for LAG and not using LACP, so it is a static LAG.  This switch is doing the same thing with connections to servers utilizing multiple ports and works just fine.  The firewall is the only one having an issue with using LAG.  From the administration console it will show all ports that make up the LAG interface as down when on the switch they are up and forwarding.  Physically on the firewall the port lights are on and blinking but the firewall sees them as down.  I am wondering how solid McAfee's use of Link Aggregation is all together.  If I unplug all the cables for the LAG ports and add them one at a time each time I add a new one the interface stops communicating for about 10 seconds.  I have never seen this on any other network equipment that utilizes LAG.  Just curious how many others are using this on the McAfee firewall without any issues.

                • 5. Re: S2008 Hardware Errors
                  sliedl

                  LAG on the McAfee firewall uses LACP and the Marker protocols defined by IEEE 802.1AX (formerly known as IEEE 802.3ad).  The peer can be a switch that supports LACP or another system that supports LACP when directly connected to the firewall using crossover cables.

                  • 6. Re: S2008 Hardware Errors
                    grinder

                    I stated it wrong.  The switch is using static LACP.  This was done because of what was stated in the firewall manual.

                     

                    "Before you enable an Aggregate group on the firewall, make sure your connected switches are properly

                    configured and segmented. Switches with dynamic LACP enabled might place all LACP traffic in the

                    default VLAN. This can create a traffic loop in your network. To avoid this problem, configure your

                    switch for static LACP (Aggregate) groups that are assigned to different segmented VLANs."

                    • 7. Re: S2008 Hardware Errors
                      sliedl

                      We receive almost no calls on LAGG interfaces in Support.  I do not see any recent bugs on LAGG interfaces either.  Customers do not ever call us to say "Everything works great," so the fact that we take little to no calls on LAGG interfaces means either no customers use it at all or that customers do use it and it works just fine.

                       

                      I would troubleshoot your issue using the audit and tcpdumps.  Perhaps the audit filter 'acat -e "area Lagg"' would show you some helpful errors.  You can also roll the audit (rollaudit -R d -w) and then reboot the firewall.  Then check the firewall audit for errors related to the interfaces.