topic Re: Trunked Etherchannel between switch and Firepower 4120 in Network Security

Trunked Etherchannel between switch and Firepower 4120

Brian Green — Wed, 19 Jun 2019 12:39:34 GMT

I am having issues creating an Trunked Etherchannel between a switch and an ASA firepower 4120. I have an etherchannel up that is an access etherchannel and it works fine, the problem comes when I try to trunk it. I have tried a non-etherchannel trunk port and it works too. This is my first setup of a firepower device with the ASA software, so I was wondering if anyone else has experience or knowledge of why this will not work.

The configs seem pretty straight forward, but I may have missed something.

For the switch I have the interfaces configured like this:

interface TenGigabitEthernet1/1/5
switchport trunk native vlan 100
switchport trunk allowed vlan 180
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast disable
spanning-tree bpduguard disable

!port channel like this

interface Port-channel1
switchport trunk native vlan 100
switchport trunk allowed vlan 180
switchport mode trunk
switchport nonegotiate
spanning-tree portfast disable
spanning-tree bpduguard disable

___________________________

on the Firepower Chassis manager I bundled two ports into an etherchannel and set them to enable

on the ASA software, I did the following

interface Port-channel2
no nameif
no security-level
no ip address
!
interface Port-channel2.180
vlan 180
nameif outside
security-level 0
ip address x.x.x.x m.m.m.m

______________________________

on the switch, after a no shut, I get the following error and the Etherchannel does not start:

%LINK-3-UPDOWN: Interface Port-channel1, changed state to down
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/5, changed state to up
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/6, changed state to up
%ETC-5-L3DONTBNDL2: Te1/1/5 suspended: LACP currently not enabled on the remote port.
%ETC-5-L3DONTBNDL2: Te1/1/6 suspended: LACP currently not enabled on the remote port.

Any ideas on what has been missed, or what could be causing the issue?

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Wed, 19 Jun 2019 13:05:33 GMT

Looking at the Output it seems one end of the Port-Channel (switch) is set to LACP (Active). The other end (ASA / Firepower) may have defaulted to "On" meaning the ether channel won't form.

As a test you could amend the switch end to "on" rather than active and force it up. Or preferably double check the ASA end and ensure it is at least set to understand LACP.

Re: Trunked Etherchannel between switch and Firepower 4120

Brian Green — Wed, 19 Jun 2019 13:40:54 GMT

I have set the switch to on and the switch side comes up, but not the ASA/Firepower side. I read in documentation that FXOS requires LACP. The access port etherchannel that I have currently would not come up until I made it "active" instead of "on".

How do I make sure the ASA (or maybe even FXOS) understands LACP?

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Wed, 19 Jun 2019 14:14:57 GMT

Yeah it looks like your chassis only supports LACP Active.

Looking at the documentation -

"When the Firepower 4100/9300 chassis creates an EtherChannel, the EtherChannel stays in a Suspended
state until you assign it to a logical device, even if the physical link is up.

Re: Trunked Etherchannel between switch and Firepower 4120

Brian Green — Wed, 19 Jun 2019 15:03:44 GMT

The physical link is up and the channel-group is set to active and it is also associated to a logical device (ASA), however it is still appearing down.

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Wed, 19 Jun 2019 16:19:06 GMT

On the ASA cli itself have you configured the following for your port channel?

channel-group channel_id mode active

Re: Trunked Etherchannel between switch and Firepower 4120

Brian Green — Wed, 19 Jun 2019 17:02:04 GMT

I have not. the CLI of the ASA does not show the interfaces that are associated with the PortChannel, only the portchannel itself since the Portchannel is configured from the chasis.

show int | i Interface

Interface Port-channel2 "", is down, line protocol is down
Interface Port-channel2.180 "outside", is down, line protocol is down

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Wed, 19 Jun 2019 17:53:16 GMT

In fxos, did you set the port type to data for the port channel?
set port-type data

Also, on the fxos what is output from show port-channel?

scope eth-uplink
scope fabric a
show port-channel

Re: Trunked Etherchannel between switch and Firepower 4120

Brian Green — Wed, 19 Jun 2019 19:04:26 GMT

yes, it is set to type Data

show port-channel

Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
2 Port-channel2 Data Enabled Failed No operational members
48 Port-channel48 Cluster Disabled Admin Down Administratively down

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Wed, 19 Jun 2019 19:50:02 GMT

Has the ASA service module been rebooted since the ports were assigned to it and port channel created?

Re: Trunked Etherchannel between switch and Firepower 4120

Brian Green — Fri, 21 Jun 2019 17:42:19 GMT

Grant,

Thank you very much for looking at this form me.

I found that etherchannels in the code I was using were not stable. I ended up updating FXOS from 2.2.2.17 to 2.4.1.214 and ASA from 9.8.2 to 9.8.4.

This allowed me to go from an "active" LACP state to an "on" state in the etherchannel from the FCM, and everything came up.

Re: Trunked Etherchannel between switch and Firepower 4120

GRANT3779 — Fri, 21 Jun 2019 19:00:16 GMT

Hi Brian,

Thanks for the update. Always good to find out what the fix was to help others who might come across funny ones like this. Glad it's all working.