Cisco Firepower firewall ports are not conecting to Nexus 9500

bortnichie · ‎01-09-2020

Our two cisco firewalls (Cisco ASA on firepower, active/standby) are currently connected to two Catalyst 6509s.

We want to move these firewalls to Nexus 9500s.

When we connected ASA ports to Nexus, the ports on nexus showed "connected" but the ports on the firewall appeared down. Bouncing ports on either side did not help. Taking ports out of port-channels and bouncing them did not help either. Rebooted the standby firewall to see if its ports connect, but it did not work.

Opened a case with Cisco. They checked the nexus side and the firewall side, but did not find any misconfigurations or issues.

Here is a list of troubleshooting steps I completed today, but nothing worked.

set the Nexus side to the Port-channel configuration. Reboot the firewall.
Remove vlan configuration from two ports on N9Ks. Bounce ports on both sides (Nexus and FW).
remove the port-channel config nexus Remove FW ports from port-channel and assign them to a logical device. Bounce ports
reboot
shut ports on both sides. Apply lacp graceful-convergence on nexus side. Enable Nexus ports. Enable FW. Lacp ports become suspended. FW ports are still down.

Error on nexus side:

lacp: fu_fsm_execute_all: done processing event LACP_EV_PERIODIC_TRANSMIT_TIMER_EXPIRED

I attached a diagram example of one firewall and it's two ports being connected to both nexuses. I am currently working on troubleshooting connectivity of two firewall ports (standby firewall) to two nexuses.

any ideas?

thanks

Tanya

Firewall problem.jpg

martinbayramov · ‎01-21-2020

Hi,

I am experiencing the exact same issue but the devices are two Nexus 56128P in VPC and Checkpoint 3100 with 1G fiber uplinks between them. The identical problem. TAC and CP did not find any issue either. I suppose it must be something to do with the L2 ASIC but that would not make sense because it actually works with other devices. If anybody had experienced something like that please give a hand.

Cheers,

Regards,

Martin

martinbayramov · ‎01-22-2020

Hello,

I found a solution. When I disabled DTP it worked fine the interfaces and the vPC came up.

!

interface Po20

desc TO_FW_1

switchport mode trunk

no negotiate auto

vpc 20

!

Regards,

Martin

bortnichie · ‎02-21-2020

Thank you, Martin. I'm very glad that it worked for your environment.

We finally got a chance to try this last night (among other things) but nothing worked. Setting a N9K port duplex to full and setting speed to 1000 did not work either.

We sent "show tech" file to Cisco again. Waiting to hear from them. Will write another update once we get this to work.

bortnichie · ‎04-21-2020

turns out this is a cisco software bug - 10Gb uplinks connectivity works, but 1Gb does not. FXOS 2.6(1.131) fixes this issue

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvq31946

thank you

Tanya

bortnichie · ‎06-26-2020

A quick update in case anyone experiences the same issue.

on Firepower, we had to do the following:

remove ports from a port channel

set ports to 1Gb

enable these ports

Add the ports back to the port channel

on port-channel: set Mode to "on" and Admin Duplex to "Full Duplex"

On the nexus side:

set ethernet ports to:

speed 1000

duplex full

channel-group X force mode on

Tanya

Cisco Firepower firewall ports are not conecting to Nexus 9500

Cisco ACI Inter VRF/Tenant Route Leaking Design – Simplified!

Connecting Physical Servers To Cisco ACI Fabric - Simplified!

VXLAN/EVPN Configuration Example (N9k / p2p)