Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
1362
Views
0
Helpful
3
Replies

Cisco ASA 5585 transparent firewall failover issur when the switch enabled Loop guard

veonwu0702
Level 1
Level 1

ā€Ž05-07-2013 04:06 AM - edited ā€Ž03-11-2019 06:39 PM

Hi Everyone ,

We are deploying the Cisco ASA 5585 in transparent mode with multiple contexts, the port-channel was configured to connect to the core switches using  dot1q trunk.

We are experiencing an issue which is the core switches are configured loop guard globally, therefore the port-channel connected to the firewalls will be put into inconsistent state when the failover happen, and the two firewalls' failover can not fulfill the failover at last.

I have two queries below.

1.  Does the firewall allow the BPDU passing through when it is in standby mode, for example, secondary firewall is active for group 2 and standby for      group 1.  does the secondary firewall block the BPDU from the valns under group1 ? 

2.  Can we disable the loop guard feature on the switch port-channel or is there anyother way to solve this issue ?

Thanks

Best Regards,

Veon

Labels:
0 Helpful
3 Replies 3

veonwu0702
Level 1
Level 1

ā€Ž05-07-2013 06:43 AM

Anyone can help ?

0 Helpful

benj.david
Level 1
Level 1

ā€Ž11-19-2013 03:55 AM

Hello Veon,

I can only reply to your first question : An ASA does not forward any traffic on the interfaces/vlan where it acts as standby, so it does not forward the BPDU on these vlans.

I have the same issue as you, so if you have found a solution, I would be happy if you can share it.

Regards,

benjamin

0 Helpful

h.groeger
Level 1
Level 1

ā€Ž11-19-2013 08:52 PM

Hello,

as far I saw so far the Loop Guard feature is global. Depending on your switch platform/IOS version, you can try to use the Bridge Assurance feature as an alternative to STP LG. STP BA has to be enabled on a global level as well, but you afterwards you have to activate it on an interface level.

Please use the following link in order to have details about STP BA.

http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/stp_enha.html#wp1052528

search for "Understanding Bridge Assurance"

Best Regards

Heiko

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card