Solved: Re: ASA5520 span-cluster port channel issue with cisco switch

JunaidM · ‎05-28-2023

Hi,

I have a Cisco ASA 5520 and connected with a cisco switch. Am working cluster Master/Slave which is working well and looks fine without any issue (UP).

Problem is that my Port-Channel is not coming up on switch and ASA both sides the summery of etherchannel is showing "w" am not sure what it is and how to fix.

Can someone advise in this case?

MHM Cisco World · ‎05-28-2023

remove the e0 from the PO.

View solution in original post

MHM Cisco World · ‎05-28-2023

Yes for OUTside config another PO
https://integratingit.wordpress.com/2022/07/10/asa-clustering/

View solution in original post

MHM Cisco World · ‎05-28-2023

can I see the config in both side ASA and SW (stack)?

JunaidM · ‎05-28-2023

Hi,

Sure, here is the topology

- FOR SWITCH IN INSIDE NETWORK-

Inside_Switch# show etherchannel summary

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) LACP Et0/2(P) Et0/3(w)

!

interface Port-channel1
switchport trunk encapsulation dot1q
switchport mode trunk
!
interface Ethernet0/0
switchport access vlan 10
switchport mode access
duplex full
!
interface Ethernet0/1
switchport access vlan 30
switchport mode access
duplex full
!
interface Ethernet0/2
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active
!
interface Ethernet0/3
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 1 mode active

- MASTER ASA -

ASA-1/master# show running-config interface
!
interface Ethernet0
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet1
channel-group 1 mode active
no nameif
no security-level
no ip address
!
interface Ethernet2
description Clustering Interface
!
interface Ethernet3
no nameif
no security-level
no ip address

!

interface Port-channel1
port-channel span-cluster
no nameif
no security-level
no ip address
!
interface Port-channel1.10
vlan 10
nameif inside
security-level 100
ip address 192.168.10.1 255.255.255.0
!
interface Port-channel1.20
vlan 20
nameif outside
security-level 0
ip address 172.16.10.1 255.255.255.0
!
interface Port-channel1.30
vlan 30
nameif DMZ
security-level 50
ip address 10.30.5.1 255.255.255.0

ASA-1/master# show port-channel summary

Number of channel-groups in use: 1
Group Port-channel Protocol Span-cluster Ports
------+-------------+---------+------------+------------------------------------
1 Po1(U) LACP Yes Et1(P) Et0(w)

MHM Cisco World · ‎05-28-2023

remove the e0 from the PO.

JunaidM · ‎05-28-2023

Should I make a separate port channel for outside interfaces or it is not needed?

Because after I remove inside Port-Channel is UP but for outside here is the log on the Outside-Switch

*May 28 15:52:23.676: %EC-5-L3DONTBNDL2: Et0/1 suspended: LACP currently not enabled on the remote port.
*May 28 15:52:23.710: %EC-5-L3DONTBNDL2: Et0/2 suspended: LACP currently not enabled on the remote port.

Outside_Switch#show etherchannel summary

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SD) LACP Et0/1(s) Et0/2(s)

Am trying to ping from R49 to R51 but not able to do so.

MHM Cisco World · ‎05-28-2023

Yes for OUTside config another PO
https://integratingit.wordpress.com/2022/07/10/asa-clustering/

JunaidM · ‎05-28-2023

Thank you for clearing the concept, much appreciated.

It's the first time am working on clusters of ASA so, thanks again.

MHM Cisco World · ‎05-28-2023

You are so welcome