cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco Firepower firewall ports are not conecting to Nexus 9500

273
Views
5
Helpful
4
Comments
Beginner

Our two cisco firewalls (Cisco ASA on firepower, active/standby) are currently connected to two Catalyst 6509s.

We want to move these firewalls to Nexus 9500s.

When we connected ASA ports to Nexus, the ports on nexus showed "connected" but the ports on the firewall appeared down.  Bouncing ports on either side did not help.  Taking ports out of port-channels and bouncing them did not help either.  Rebooted the standby firewall to see if its ports connect, but it did not work.

 

Opened a case with Cisco.  They checked the nexus side and the firewall side, but did not find any misconfigurations or issues.

Here is a list of troubleshooting steps I completed today, but nothing worked.

  1. set the Nexus side to the Port-channel configuration. Reboot the firewall. 
  2. Remove vlan configuration from two ports on N9Ks.  Bounce ports on both sides (Nexus and FW). 
  3. remove the port-channel config nexus Remove FW ports from port-channel and assign them to a logical device.  Bounce ports 
  4. reboot 
  5. shut ports on both sides. Apply lacp graceful-convergence on nexus side.  Enable Nexus ports.  Enable FW.  Lacp ports become suspended.  FW ports are still down. 

 

Error on nexus side:

lacp: fu_fsm_execute_all: done processing event LACP_EV_PERIODIC_TRANSMIT_TIMER_EXPIRED

 

I attached a diagram example of one firewall and it's two ports being connected to both nexuses.  I am currently working on troubleshooting connectivity of two firewall ports (standby firewall) to two nexuses.

 

any ideas?

 

thanks

 

Tanya

Firewall problem.jpg

 

4 Comments
Beginner

Hi,

 

I am experiencing the exact same issue but the devices are two Nexus 56128P in VPC and Checkpoint 3100 with 1G fiber uplinks between them. The identical problem. TAC and CP did not find any issue either. I suppose it must be something to do with the L2 ASIC but that would not make sense because it actually works with other devices. If anybody had experienced something like that please give a hand.

 

Cheers,

Regards,

Martin

 

Beginner

Hello,

 

I found a solution. When I disabled DTP it worked fine the interfaces and the vPC came up.

 

!

interface Po20

desc TO_FW_1

switchport mode trunk

no negotiate auto

vpc 20

!

 

Regards,

Martin

Beginner

Thank you, Martin.  I'm very glad that it worked for your environment.

We finally got a chance to try this last night (among other things) but nothing worked. Setting a N9K port duplex to full and setting speed to 1000 did not work either.

We sent "show tech" file to Cisco again.  Waiting to hear from them.  Will write another update once we get this to work.

Beginner

turns out this is a cisco software bug - 10Gb uplinks connectivity works, but 1Gb does not.  FXOS 2.6(1.131) fixes this issue

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq31946

 

thank you

Tanya

 

CreatePlease to create content
Content for Community-Ad

Cisco COVID-19 Survey