We recently purchased a pair of new Palo Alto PA-3060 Next-Gen firewalls and I was horrified that 10GbE ports did not work as expected during our tests. We found a hilarious (sic) bug when configuring the LACP aggregates. The problem was very simple, but really really really really boring. If we create three LACP aggregates or more the Ethernet1/17 port was not working anymore. All traffic to or from this port will be dropped and the MAC address of the Palo Alto was no longer recognized on the other side (in our case a pair of Cisco Nexus switchs). To understand, this firewall has only two 10GbE interfaces, the Ethernet1/17 and Ethernet1/18…
The bug was easy to reproduce, because just using the name ae3 or ae4 will tear down the Ethernet 1/17 interface… After a long exchange with the support a bug was found and identified and it will be corrected in the next weeks with the release of PAN-OS 6.1.3. The PA-3060 is new, but it’s difficult to understand how a stupid bug like this can occur.
[UPDATE] The problem is now fixed by the 6.1.3 that was released the past week.