ASA failover with N7k and vPC

ramikamel911 · ‎05-20-2014

Hi guys,

I'm connecting an ASAs as Active/standby failover to nexus 7000.

Please find the attached network diagram to understand the setup.

- No direct cable between the two ASAs.

- Failover link is done by connecting g0/3 to N7k1 and N7K2 (as the diagram).

- vPC peer-link is there between the two N7k.

- Using this setup, Failover is working fine. (Failover vlans are passing through vPC peer-link)

- As the recommendation, i understood that it is not recommended to use the vPC peer-link to pass the failover vlans (in our case vlan 5 and 6).

Is it true?

+ And based on this recommendation:
- I removed vlans 5 and 6 from the vPC peer-link.
- I created new link between the two N7ks "trunk" and allowed only vlans 5 & 6.

After doing this step, failover keep failing and both ASAs are not detecting each others.

Any idea how to solve this issue?

Regards

Marvin Rhoads · ‎05-20-2014

Can you share the running-config and status for the Nexus trunk interfaces (to each other and to the ASAs)?

i.e.,

show run int Eth__/__

show int Eth __/__

ramikamel911 · ‎05-20-2014

Hi Marvin,

I will collect show interface and send it, but now i have the following "show-run interfaces":

N7K-1:

interface Ethernet3/19
description ### ASA Failover , connected to N7k-2 ###
switchport
switchport mode trunk
switchport trunk allowed vlan 5,6
speed 1000
no shutdown

N7K-2:

interface Ethernet3/19
description ### ASA Failover , connected to N7k-1 ###
switchport
switchport mode trunk
switchport trunk allowed vlan 5,6
speed 1000
no shutdown

ASAs:

interface Ethernet3/5
description ### Connected to ASA-1 ###
switchport
switchport mode trunk
switchport trunk allowed vlan 5,6
speed 1000

interface Ethernet3/5
description ### Connected to ASA-2 ###
switchport
switchport mode trunk
switchport trunk allowed vlan 5,6
speed 1000
no shutdown

Regards

Marvin Rhoads · ‎05-20-2014

Those are pretty straightforward and one would expect them to work. Perhaps the information from the interfaces showing their current status will shed some light.

ramikamel911 · ‎05-20-2014

Thanks for your reply.

As i remember all ports were up, anyhow, i will collect and share them.

Regards.

ramikamel911 · ‎05-21-2014

Hi Marvin,

Attached you can find the show interfaces output.

Regards,

Rami

Marvin Rhoads · ‎05-21-2014

Hmm those look OK.

Can you "show spanning-tree vlan 5" ( and 6)? on the Nexus's?

ramikamel911 · ‎05-21-2014

Hi Marvin.

I attached show spanning-tree output.

Regards

Marvin Rhoads · ‎05-21-2014

For some reason both N7k-1 and N7k-2 are reporting they are root - as i f they still thought those VLANs were connected via vPC. Did you clear VLANs 5 and 6 from the the peer link?

If you look at N7k-2 it is blocking on Eth3/19 (the connection to N7k-1). That will keep the ASAs from seeing each other via that connection.

You might want to refer to this troubleshooting spanning-tree document for NX-OS.

ramikamel911 · ‎05-21-2014

Hi Marvin,

Yes i removed those two vlans from the vPC peer link by removing them from the allowed vlans.

Regards

Marvin Rhoads · ‎05-21-2014

I'd engage the TAC to have a look at your spanning-tree setup in real time. It would probably resolve your issue more quickly to open a Service Request from CSC. There should be a link in the top right of your view with instruction on doing that.

ramikamel911 · ‎05-21-2014

Hi Marvin,

Thanks for your reply.

- If i have an issue with spanning tree, why do you think it is working fine over vPV peer link?

- Both switches are active because we configured peer switch under vPC, and in this case both spanning tree priority should be same.

Regards,

Marvin Rhoads · ‎05-21-2014

I suspected you had setup peer switch. When you have a VPC, the NX-OS uses a virtual bridge-ID designed to work with VPC and spanning tree isn't an issue. When you are running hybrid mode (see this link) Cisco recommends you set "spanning-tree pseudo information".

I've not done that myself which is why I defer to to and recommend engaging the TAC as I'd not want you to have unforeseen consequences with your 7k core as a result of something I had recommended.