ASA port-channel subinterfaces - No layer 3 connectivity to switch

Grant McBride · ‎11-27-2014

Hi All,

I have been tasked with setting up out new Corporate Firewall and have been having non-stop issues trying to get connectivity between the ASA and the switch.

I am using ASA version 9, and am using the the new feature where one can place all your Gigabit ports into a port-channel and then created subinterfaces on the port-channel for each interface. I have followed all the only guides I could find but just can't get any connectivity between the switch and the ASA. The ARP entry seems to show on the switch if I set one on the Port-channel subinterface, but no ARP entries show up on the ASA.

The switch has an interface in the same VLAN as the subinterface (172.28.65.0/24), so no routing is required. I have also set an "Permit IP ANY ANY" ACL on the interface on the control-lane for that interface just in case.

As a test I have also put the IP Address on Gi0/0 and made it an access port in VLAN 1, which works.

Below is my configuration:

######

ASA

######

interface GigabitEthernet0/0
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address

interface GigabitEthernet0/1
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address

interface GigabitEthernet0/2
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address

interface GigabitEthernet0/3
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address

interface Port-channel1
no nameif
no security-level
no ip address

interface Port-channel1.1
description Management
vlan 1
ip address 172.28.65.2 255.255.255.0
nameif management
security-level 90

icmp permit any management

access-group management-in in interface management control-plane
access-group management-in in interface management

#########
Switch

#########

interface Port-channel5
switchport trunk encapsulation dot1q
switchport mode trunk

interface Gi1/0/29
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
shut

interface Gi1/0/30
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full

interface Gi2/0/29
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full

interface Gi2/0/30
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full

Your help is greatly appreciated.

Grant

Murali · ‎11-27-2014

hi,

your config looks good ,some times it can be a pain setting up etherchannels.

Can you remove the configuration on all the interfaces , admin shut all and configure each one and unshut one by one.

Also if you can give us the details of vlan configuration on the switch and show port-channel summary , show port-channel detail command output .

Best of luck.

Thank you

Murali

Grant McBride · ‎11-28-2014

I have redone the configuration numerous times, also had a CCIE colleague assist.

Further switch configuration:

interface Vlan1
ip address 172.28.65.11 255.255.255.0
no ip redirects

VLAN 1 is a working VLAN as it is our Management LAN for other devices.

########

ASA

########

#sh port-channel summary
Flags: D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        U - in use      N - not in use, no aggregation/nameif
        M - not in use, no aggregation due to minimum links not met
        w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1      Po1(U)            LACP          No     Gi0/0(P)   Gi0/1(P)

#sh port-channel detail
Channel-group listing:
-----------------------

Group: 1
----------
Span-cluster port-channel: No
Ports: 2   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
                Ports in the group:
                -------------------
Port: Gi0/0
------------
Port state    = bndl
Channel group =    1        Mode = LACP/ active
Port-channel = Po1

Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.

Local information:
                             LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
-----------------------------------------------------------------------------
Gi0/0     SA      bndl       32768         0x1       0x1     0x1         0x3d

Partner's information:
          Partner Partner    LACP Partner Partner   Partner Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
-----------------------------------------------------------------------------------
Gi0/0     SA      bndl       32768         0x0       0x1      0x102       0x3d

Port: Gi0/1
------------
Port state = bndl
Channel group = 1 Mode = LACP/ active
Port-channel = Po1

Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.

Local information:
                             LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
-----------------------------------------------------------------------------
Gi0/1     SA      bndl       32768         0x1       0x1     0x2         0x3d

Partner's information:
          Partner Partner    LACP Partner Partner   Partner Partner     Partner
Port      Flags   State      Port Priority Admin Key Oper Key Port Number Port State
-----------------------------------------------------------------------------------
Gi0/1     SA      bndl       32768         0x0       0x1      0x103       0x3d

No ARP's showing up on ASA. Not even it's local interface.

Port-channel1 unassigned YES unset up up
Port-channel1.1 172.28.65.2 YES manual up up

###########

Switch

###########

ARP on switch shows the MAC of the Gi0/0 interface, the port-channel1 and port-channel1.1.

The port-channels seem to have the same MAC as the physical Gi0/0 interface. I have tried changing the MAC's on the Port-channels, and the switch picks up the new MAC's but still no connectivity across.

#sh arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 172.28.65.1             -   001d.e5c0.7340 ARPA   Vlan1
Internet 172.28.65.2             2   f40f.1b76.f918 ARPA   Vlan1

Marvin Rhoads · ‎11-28-2014

What software versions are you using on the ASA and switch?

Grant McBride · ‎11-28-2014

It has been sorted out now. It seems the switch was missing the following command.

vlan dot1q tag native

I don't think I would of had this issue if I had used a different VLAN other than 1.

I would however like a similar command that I can use on the ASA instead of the switch or a command I can use on the switch that is used on a per-port basis as I do not want to break something else.

Thanks guys

Marvin Rhoads · ‎11-28-2014

Ah OK that makes sense. I never use VLAN 1 so the caveats for doing so didn't immediately come to mind.

It might also work if you set the native VLAN for that trunk to something other than the default VLAN ID of 1. Like "switchport trunk native VLAN 999". That way it would know it has to tag VLAN 1 traffic for that trunk only

umesh.chowdhary · ‎09-01-2018

The ASA does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the ASA will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch. In multiple context mode, these messages are not included in a packet capture, so that you cannot diagnose the issue easily. •

In Cisco IOS software versions earlier than 15.1(1)S2, the ASA did not support connecting an EtherChannel to a switch stack. With default switch settings, if the ASA EtherChannel is connected crossstack, and if the masterswitch is powered down, then the EtherChannel connected to the remaining switch will not come up. To improve compatibility, set the stack-mac persistent timer command to a large enough value to account for reload time; for example, 8 minutes or 0 for indefinite. Or, you can upgrade to more a more stable switch software version, such as 15.1(1)S2.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa94/config-guides/cli/general/asa-94-general-config/interface-echannel.pdf