Solved: ASA on Firepower 2140 Portchannel not come up

rzt1994 · ‎12-06-2018

Hi all,

I have one firepower 2140 security appliance running ASA mode with version 9.8(2).

The device is factory installed with ASA image. And I created three port-channels by separately adding Eth1/1,Eth1/2and Eth1/3,Eth1/4 and Eth1/5,Eth1/6 in Firepower Chasis Management.(There is no "channel-group 1 mode on" command when I enter the interface Eth1/1 configuration line)

And I've configured their nameif, security level and ip address. And I connet Eth1/1 to another switch G0/2, but neither the port-channel 1 and Eth1/1 did not come up.

After that I delete Port-channel 1 and apply config to Eth1/1 and they worked fine.

Below is some part of output of "show interface po1"

Interface Port-channel1 "inside1", is down, line protocol is down (not associated on Supervisor)

Is there anything I can do to troubleshoot it?

rzt1994 · ‎04-16-2019

Hi

I created a case on the issue and it turned out the LACP problem, below is TAC's reply for your refference:

The Firepower 2100 supports EtherChannels in Link Aggregation Control Protocol (LACP) Active or On mode. By default, the LACP mode is set to Active; you can change the mode to On at the CLI. We suggest setting the connecting switch ports to Active mode for the best compatibility.

If you need change LACP mode, you can refer following example:

[Example]

firepower# scope eth-uplink

firepower /eth-uplink # scope fabric a

firepower /eth-uplink/fabric # create port-channel 44

firepower /eth-uplink/fabric/port-channel* # enable

firepower /eth-uplink/fabric/port-channel* # create member-port E1/6

firepower /eth-uplink/fabric/port-channel/member-port* # exit

firepower /eth-uplink/fabric/port-channel* # create member-port E1/7

firepower /eth-uplink/fabric/port-channel/member-port* # exit

firepower /eth-uplink/fabric/port-channel* # set port-channel-mode [on | active]

firepower /eth-uplink/fabric/port-channel* # commit-buffer

firepower /eth-uplink/fabric/port-channel* #end

View solution in original post

BigIp · ‎04-16-2019

Hello,

I was wondering if you gotten any answers on this post. I ran into the same issue. Please advise.

Thanks,

rzt1994 · ‎04-16-2019

Hi

I created a case on the issue and it turned out the LACP problem, below is TAC's reply for your refference:

The Firepower 2100 supports EtherChannels in Link Aggregation Control Protocol (LACP) Active or On mode. By default, the LACP mode is set to Active; you can change the mode to On at the CLI. We suggest setting the connecting switch ports to Active mode for the best compatibility.

If you need change LACP mode, you can refer following example:

[Example]

firepower# scope eth-uplink

firepower /eth-uplink # scope fabric a

firepower /eth-uplink/fabric # create port-channel 44

firepower /eth-uplink/fabric/port-channel* # enable

firepower /eth-uplink/fabric/port-channel* # create member-port E1/6

firepower /eth-uplink/fabric/port-channel/member-port* # exit

firepower /eth-uplink/fabric/port-channel* # create member-port E1/7

firepower /eth-uplink/fabric/port-channel/member-port* # exit

firepower /eth-uplink/fabric/port-channel* # set port-channel-mode [on | active]

firepower /eth-uplink/fabric/port-channel* # commit-buffer

firepower /eth-uplink/fabric/port-channel* #end

BigIp · ‎04-18-2019

Thank you for your assistance. I'm using gig connections for the LACP port-channel whenever I include eth1/2 and eth1/3 to port-channel 1, it changes the operation speed to 10g as shown below. Did you encounter the same issue as well?

FYI, eth1/3 is down on purpose.

Port Channel:

Port Channel Id: 1

Name: Port-channel1

Port Type: Data

Description:

Admin State: Enabled

Oper State: Indeterminate

Auto negotiation: Yes

Speed: 1 Gbps

Duplex: Full Duplex

Oper Speed: 10 Gbps

Band Width (Gbps): 0

State Reason:

flow control policy: default

LACP policy name: default

oper LACP policy name: org-root/lacp-default

Lacp Mode: Active

Inline Pair Admin State: Enabled

Inline Pair Peer Port Name:

Member Port:

Port Name: Ethernet1/2

Membership: Down

Oper State: Up

State Reason: Up

Ethernet Link Profile name: default

Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default

Udld Oper State: Unknown

Current Task:

Port Name: Ethernet1/3

Membership: Down

Oper State: Link Down

State Reason: Down

Ethernet Link Profile name: default

Oper Ethernet Link Profile name: fabric/lan/eth-link-prof-default

Udld Oper State: Unknown

Current Task:

jorge.chavez · ‎10-09-2019

looks like you have autonegotiation enabled.

can you try setting it to off?

I'm running into a similar problem, and noticed that when i go back into asa mode, that the interfaces stay at 10000Mbps.

Freemen · ‎03-11-2020

is a bug https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvp03354/?rfs=iqvred

Jasper Lampitoc · ‎03-16-2021

Yes its a bug, and cisco only work around is to check in FXOS show eth-uplink expand. I have opened TAC case on this but they can't help me. Suddenly I just read the configuration guide.

You can resolve this by initiating no interface x/x in the members of created port-channel on the ASA to remove extraneous configuration and check that the (not associated on Supervisor) status will be gone, Point to point connection will now have connectivity.

Kindly refer to this cisco document https://www.cisco.com/c/en/us/td/docs/security/asa/fxos/config/asa-2100-fxos-config/fcm.html#task_cqz_4sz_r1b

Check the Procedure in "Add an Etherchannel" ---> Step 8

Hope this helps.

Regards,