Cisco ASA 5585 transparent firewall failover issur when the swit

veonwu0702 · ‎05-07-2013

Hi Everyone ,

We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using dot1q trunk.

We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.

I have two queries below.

1. Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for group 1. does the secondary firewall block the BPDU from the valns under group1 ?

2. Can we disable the loop guard feature on the switch port-channel or is there anyother way to solve this issue ?

Thanks

Best Regards,

Veon

veonwu0702 · ‎05-07-2013

Anyone can help ?

benj.david · ‎11-19-2013

Hello Veon,

I can only reply to your first question : An ASA does not forward any traffic on the interfaces/vlan where it acts as standby, so it does not forward the BPDU on these vlans.

I have the same issue as you, so if you have found a solution, I would be happy if you can share it.

Regards,

benjamin

h.groeger · ‎11-19-2013

Hello,

as far I saw so far the Loop Guard feature is global. Depending on your switch platform/IOS version, you can try to use the Bridge Assurance feature as an alternative to STP LG. STP BA has to be enabled on a global level as well, but you afterwards you have to activate it on an interface level.

Please use the following link in order to have details about STP BA.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/stp_enha.html#wp1052528

search for "Understanding Bridge Assurance"

Best Regards

Heiko

Cisco ASA 5585 transparent firewall failover issur when the switch enabled Loop guard