11-27-2014 07:14 AM - edited 03-11-2019 10:08 PM
Hi All,
I have been tasked with setting up out new Corporate Firewall and have been having non-stop issues trying to get connectivity between the ASA and the switch.
I am using ASA version 9, and am using the the new feature where one can place all your Gigabit ports into a port-channel and then created subinterfaces on the port-channel for each interface. I have followed all the only guides I could find but just can't get any connectivity between the switch and the ASA. The ARP entry seems to show on the switch if I set one on the Port-channel subinterface, but no ARP entries show up on the ASA.
The switch has an interface in the same VLAN as the subinterface (172.28.65.0/24), so no routing is required. I have also set an "Permit IP ANY ANY" ACL on the interface on the control-lane for that interface just in case.
As a test I have also put the IP Address on Gi0/0 and made it an access port in VLAN 1, which works.
Below is my configuration:
######
ASA
######
interface GigabitEthernet0/0
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address
interface GigabitEthernet0/1
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address
interface GigabitEthernet0/2
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address
interface GigabitEthernet0/3
description Port-channel to Core Switch
channel-group 1 mode active
speed 1000
duplex full
no nameif
no security-level
no ip address
interface Port-channel1
no nameif
no security-level
no ip address
interface Port-channel1.1
description Management
vlan 1
ip address 172.28.65.2 255.255.255.0
nameif management
security-level 90
icmp permit any management
access-group management-in in interface management control-plane
access-group management-in in interface management
#########
Switch
#########
interface Port-channel5
switchport trunk encapsulation dot1q
switchport mode trunk
interface Gi1/0/29
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
shut
interface Gi1/0/30
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
interface Gi2/0/29
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
interface Gi2/0/30
channel-group 5 mode active
switchport trunk encapsulation dot1q
switchport mode trunk
speed 1000
duplex full
Your help is greatly appreciated.
Grant
11-27-2014 09:43 PM
hi,
your config looks good ,some times it can be a pain setting up etherchannels.
Can you remove the configuration on all the interfaces , admin shut all and configure each one and unshut one by one.
Also if you can give us the details of vlan configuration on the switch and show port-channel summary , show port-channel detail command output .
Best of luck.
Thank you
Murali
11-28-2014 02:33 AM
I have redone the configuration numerous times, also had a CCIE colleague assist.
Further switch configuration:
interface Vlan1
ip address 172.28.65.11 255.255.255.0
no ip redirects
VLAN 1 is a working VLAN as it is our Management LAN for other devices.
########
ASA
########
#sh port-channel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
U - in use N - not in use, no aggregation/nameif
M - not in use, no aggregation due to minimum links not met
w - waiting to be aggregated
Number of channel-groups in use: 1
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP No Gi0/0(P) Gi0/1(P)
#sh port-channel detail
Channel-group listing:
-----------------------
Group: 1
----------
Span-cluster port-channel: No
Ports: 2 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
Ports in the group:
-------------------
Port: Gi0/0
------------
Port state = bndl
Channel group = 1 Mode = LACP/ active
Port-channel = Po1
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
-----------------------------------------------------------------------------
Gi0/0 SA bndl 32768 0x1 0x1 0x1 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
-----------------------------------------------------------------------------------
Gi0/0 SA bndl 32768 0x0 0x1 0x102 0x3d
Port: Gi0/1
------------
Port state = bndl
Channel group = 1 Mode = LACP/ active
Port-channel = Po1
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
-----------------------------------------------------------------------------
Gi0/1 SA bndl 32768 0x1 0x1 0x2 0x3d
Partner's information:
Partner Partner LACP Partner Partner Partner Partner Partner
Port Flags State Port Priority Admin Key Oper Key Port Number Port State
-----------------------------------------------------------------------------------
Gi0/1 SA bndl 32768 0x0 0x1 0x103 0x3d
No ARP's showing up on ASA. Not even it's local interface.
Port-channel1 unassigned YES unset up up
Port-channel1.1 172.28.65.2 YES manual up up
###########
Switch
###########
ARP on switch shows the MAC of the Gi0/0 interface, the port-channel1 and port-channel1.1.
The port-channels seem to have the same MAC as the physical Gi0/0 interface. I have tried changing the MAC's on the Port-channels, and the switch picks up the new MAC's but still no connectivity across.
#sh arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.28.65.1 - 001d.e5c0.7340 ARPA Vlan1
Internet 172.28.65.2 2 f40f.1b76.f918 ARPA Vlan1
11-28-2014 07:24 AM
What software versions are you using on the ASA and switch?
11-28-2014 07:28 AM
It has been sorted out now. It seems the switch was missing the following command.
vlan dot1q tag native
I don't think I would of had this issue if I had used a different VLAN other than 1.
I would however like a similar command that I can use on the ASA instead of the switch or a command I can use on the switch that is used on a per-port basis as I do not want to break something else.
Thanks guys
11-28-2014 07:38 AM
Ah OK that makes sense. I never use VLAN 1 so the caveats for doing so didn't immediately come to mind.
It might also work if you set the native VLAN for that trunk to something other than the default VLAN ID of 1. Like "switchport trunk native VLAN 999". That way it would know it has to tag VLAN 1 traffic for that trunk only
09-01-2018 07:07 AM
The ASA does not support LACPDUs that are VLAN-tagged. If you enable native VLAN tagging on the neighboring switch using the Cisco IOS vlan dot1Q tag native command, then the ASA will drop the tagged LACPDUs. Be sure to disable native VLAN tagging on the neighboring switch. In multiple context mode, these messages are not included in a packet capture, so that you cannot diagnose the issue easily. •
In Cisco IOS software versions earlier than 15.1(1)S2, the ASA did not support connecting an EtherChannel to a switch stack. With default switch settings, if the ASA EtherChannel is connected crossstack, and if the masterswitch is powered down, then the EtherChannel connected to the remaining switch will not come up. To improve compatibility, set the stack-mac persistent timer command to a large enough value to account for reload time; for example, 8 minutes or 0 for indefinite. Or, you can upgrade to more a more stable switch software version, such as 15.1(1)S2.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide