Thanks Philip for your quick

abdulrafayessani · ‎02-11-2016

Hi,

I' m making an Etherchannel from my Cisco ASA5512X using following interfaces and devices but the line interface is down on these ports and showing Orange LED

9	INSIDE-3850-0	G 1/0/17	10.181.11.3/24	DMZ-5512-0	GE 0/3	10.181.11.4/24
9	INSIDE-3850-0	G 2/0/17		DMZ-5512-1	GE 0/3
9	INSIDE-3850-0	G 1/0/18		DMZ-5512-0	GE 0/2
9	INSIDE-3850-0	G 2/0/18		DMZ-5512-1	GE 0/2

- two 3850 48 port are in stack with IP Base Image

- both firewall are in Active/Standby mode.

Configuration is as follows:

3850:

interface Port-channel9
no switchport
ip address 10.181.11.3 255.255.255.0

interface GigabitEthernet1/0/17
description connected to F-PK-LHR-DMZ-5512-0 GE 0/3
no switchport
no ip address
channel-group 9 mode auto

interface GigabitEthernet1/0/18
description connected to F-PK-LHR-DMZ-5512-0 GE 0/2
no switchport
no ip address
channel-group 9 mode auto

interface GigabitEthernet2/0/17
description connected to F-PK-LHR-DMZ-5512-1 GE 0/3
no switchport
no ip address
shutdown
channel-group 9 mode auto

interface GigabitEthernet2/0/18
description connected to F-PK-LHR-DMZ-5512-1 GE 0/2
no switchport
no ip address
shutdown
channel-group 9 mode auto

Regards,

Abdul Rafay

Philip D'Ath · ‎02-12-2016

Close. You need to use "mode active".

For example:

interface GigabitEthernet1/0/17
 description connected to F-PK-LHR-DMZ-5512-0 GE 0/3
 no switchport
 no ip address
 channel-group 9 mode active

And on the ASA, something like:

interface GigabitEthernet x/y
 channel-group 9 mode active

abdulrafayessani · ‎02-12-2016

Thanks Philip for your quick response. but as per ASA 9.1.2 Configuration guide it says etherchannel with cross stack switches is not supported.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_start.html#pgfId-1329030

Since my both ASA are intended for Active Passive therefore i've to make one Etherchannel, correct me if i am wrong.

just want to share my ASA configuration as well:

DMZ-5512-0

interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 9 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
channel-group 9 mode active
no nameif
no security-level
no ip address

interface Port-channel9
speed 1000
duplex full
lacp max-bundle 1
port-channel load-balance src-port
nameif INSIDE
security-level 100
ip address 10.181.11.4 255.255.255.0

DMZ-5512-1

interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 9 mode active
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
speed 1000
duplex full
channel-group 9 mode active
no nameif
no security-level
no ip address

interface Port-channel9
speed 1000
duplex full
lacp max-bundle 1
port-channel load-balance src-port
nameif INSIDE
security-level 100
ip address 10.181.11.4 255.255.255.0

Philip D'Ath · ‎02-14-2016

I think that should be fine. I should point out one other aspect and that EtherChannel doesn't increase throughput on a 5512, it only provides redundancy.

You could also consider using "Redundant" interfaces. It does work across switch stacks, and doesn't require any special switch configuration.

https://supportforums.cisco.com/document/88136/quick-redundant-interface-configuration-reference-asa

Philip D'Ath · ‎02-12-2016

You also can not use the same channel group number for different firewalls. So use "8" going to one firewall and "9" to the other, for example.

Cisco ASA 5512X L3 Eitherchannel with Catalyst 3850 Switches Cross Stack