Troubleshooting LACP Sub-Interfaces Communication Issues with Core Switches

Symptoms

LACP sub-interfaces are unable to communicate with the core switch, resulting in network connectivity issues.

Environment

Cisco IOS-based network environment with LACP configured on multiple sub-interfaces connected to a core switch.

Most Likely Causes

Misconfiguration of LACP settings, VLAN mismatches, or issues with physical connectivity can prevent sub-interfaces from communicating with the core switch.

What to Check First

1. Capture the affected source, destination, protocol, port, DNS name, VLAN or subnet, and exact error before changing policy.
2. Verify path, name resolution, authentication, and firewall policy separately so one symptom does not hide multiple failures.
3. Check whether the issue is isolated to one client, one subnet, one VPN profile, or every path.

Fix Steps

1. Verify LACP Configuration on Sub-Interfaces

   Check the LACP configuration on the sub-interfaces to ensure they are correctly set up.

   Example pattern only. Adjust for your environment before running.

   show running-config interface <sub-interface>
   show etherchannel summary

2. Check VLAN Configuration

   Ensure that the VLANs assigned to the sub-interfaces match the VLANs configured on the core switch.

   Example pattern only. Adjust for your environment before running.

   show vlan brief
   show interface <sub-interface> switchport

3. Inspect Physical Connectivity

   Examine the physical connections between the sub-interfaces and the core switch for any issues.

   Example pattern only. Adjust for your environment before running.

   show interfaces status
   show cdp neighbors

4. Monitor LACP Status

   Check the status of the LACP protocol to ensure it is operational.

   Example pattern only. Adjust for your environment before running.

   show lacp neighbor
   show lacp statistics

5. Test Connectivity

   Perform a ping test from the sub-interface to the core switch to verify connectivity.

   Example pattern only. Adjust for your environment before running.

   ping <core-switch-ip>

6. Review Logs for Errors

   Check the logs for any error messages related to LACP or interface issues.

   Example pattern only. Adjust for your environment before running.

   show logging | include LACP
   show logging | include error

Validation

• The same client and network path can reach the target after the change.
• Firewall, VPN, DHCP, DNS, or switch logs show allowed traffic or successful negotiation instead of the prior failure.
• A second path check confirms that the fix did not open unintended access or break another subnet.

Logs to Check

• Firewall, VPN, DNS, DHCP, or switch logs for the failing timestamp.
• Client resolver, route table, VPN client, or browser/network diagnostics.
• Packet capture or flow logs when policy and routing disagree.

Rollback and Escalation

• Export or screenshot the original policy, route, resolver, or interface configuration before changing it.
• Remove temporary allow rules, test DNS records, or route changes after validation.
• Restore the previous VPN profile, firewall rule, or switch configuration if reachability worsens.

Escalate When

• Escalate if the same error persists after rollback and a clean retry from the original failing path.
• Escalate if logs show authorization, data loss, certificate, replication, or production availability risk outside the local service owner scope.

Edge Cases

• If LACP is not enabled on the core switch, enable it and configure the corresponding settings.
• If VLANs are mismatched, reconfigure the VLAN settings on either the sub-interfaces or the core switch.

Notes from the Field

• Most network incidents need source and destination evidence. A successful test from an admin laptop does not prove the affected client path is fixed.
• For VPN and firewall changes, keep the blast radius narrow and time-box any temporary allow rule.