Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
3
Replies

Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended issue

Go to solution
KelvinT
Level 1
Level 1

‎05-07-2025 02:26 PM

Firewall 4200 Series v7.4.2.1-30; vPC ACI port-channel suspended issue

Hello,

Have anyone successfully clustered 4200 Series FTD OS v7.4.2.1-30 on a ACI Leaf switch pair using vPC?  I keep getting the switch port suspended causing the FTD cluster to disable the nodes.  It does this because before the FTD can complete the clustering, the switch see the FTDs as different port-channel partners.  i.e. it doesn't see the cluster as one device yet.  As a result, the FTD cluster fails, the switch port channel is suspended.

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd-cluster-sec-fw.html

I have already tried different order of operations without success.  I feel this is how it is suppose to work:

  1. Configure port-channel for cluster control CCL
  2. Configure the cluster adding the cluster control
  3. add, non-configured data cluster node

Any idea?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
KelvinT
Level 1
Level 1

‎05-12-2025 11:52 AM

Hi Cisco Community,

So the resolution is to correctly interpret the Cisco Document below.  Hahaha...

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd-cluster-sec-fw.html

Summary:

  1. The cluster control link (CCL) must use Device-local EtherChannels per FW
  2. The data link, can be Spanned EtherChannels

By creating separate etherChannels for each FTD will, obviously, prevent the suspension of the ports on the switch side since it is the same partner (FTD unit).  Once the CCL is established, all the FTD unit will appear as one unit on the data link to the switch, which will allow it to be configure as Spanned EtherChannels.

Problem solved. 

View solution in original post

0 Helpful
3 Replies 3

Go to solution
KelvinT
Level 1
Level 1
In response to Marius Gunnerud

‎05-09-2025 05:37 AM

Hello Marius and thanks.

I don't think the issue is on the ACI side per se.  It seem to be the chicken and egg....which comes first. 

- In order for the ACI switch to enable port-channel, it has to see the partner (FTD) as one device (i.e. the chicken must come first.  hahaha..)

- In order for the FTD to form a cluster, the port-channel has to be up to communicate.  (i.e.  the egg must come first  hahah...)

Thanks for that info though, but this seems or FTD related.

0 Helpful

Go to solution
KelvinT
Level 1
Level 1

‎05-12-2025 11:52 AM

Hi Cisco Community,

So the resolution is to correctly interpret the Cisco Document below.  Hahaha...

https://www.cisco.com/c/en/us/td/docs/security/secure-firewall/management-center/cluster/ftd-cluster-sec-fw.html

Summary:

  1. The cluster control link (CCL) must use Device-local EtherChannels per FW
  2. The data link, can be Spanned EtherChannels

By creating separate etherChannels for each FTD will, obviously, prevent the suspension of the ports on the switch side since it is the same partner (FTD unit).  Once the CCL is established, all the FTD unit will appear as one unit on the data link to the switch, which will allow it to be configure as Spanned EtherChannels.

Problem solved. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card