topic Re: Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended i in Network Security

Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended issue

KelvinT — Wed, 07 May 2025 21:26:11 GMT

Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended issue

Hello,

Have anyone successfully clustered 4200 Series FTD OS v7.4.2.1-30 on a ACI Leaf switch pair using vPC? I keep getting the switch port suspended causing the FTD cluster to disable the nodes. It does this because before the FTD can complete the clustering, the switch see the FTDs as different port-channel partners. i.e. it doesn't see the cluster as one device yet. As a result, the FTD cluster fails, the switch port channel is suspended.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd-cluster-sec-fw.html

I have already tried different order of operations without success. I feel this is how it is suppose to work:

Configure port-channel for cluster control CCL
Configure the cluster adding the cluster control
add, non-configured data cluster node

Any idea?

Re: Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended i

Marius Gunnerud — Thu, 08 May 2025 09:21:07 GMT

Have you by chance looked though through these documents during troubleshooting?

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/218374-troubleshoot-virtual-port-channel-vpc.html

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/218194-troubleshoot-aci-vpc.html

Hope they can point you in the right direction.

Re: Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended i

KelvinT — Fri, 09 May 2025 12:37:12 GMT

Hello Marius and thanks.

I don't think the issue is on the ACI side per se. It seem to be the chicken and egg....which comes first.

- In order for the ACI switch to enable port-channel, it has to see the partner (FTD) as one device (i.e. the chicken must come first. hahaha..)

- In order for the FTD to form a cluster, the port-channel has to be up to communicate. (i.e. the egg must come first hahah...)

Thanks for that info though, but this seems or FTD related.

Re: Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended i

KelvinT — Mon, 12 May 2025 18:52:03 GMT

Hi Cisco Community,

So the resolution is to correctly interpret the Cisco Document below. Hahaha...

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd-cluster-sec-fw.html

Summary:

The cluster control link (CCL) must use Device-local EtherChannels per FW
The data link, can be Spanned EtherChannels

By creating separate etherChannels for each FTD will, obviously, prevent the suspension of the ports on the switch side since it is the same partner (FTD unit). Once the CCL is established, all the FTD unit will appear as one unit on the data link to the switch, which will allow it to be configure as Spanned EtherChannels.

Problem solved. 🙂