Solved: FPR4110 interface down after added into device local port-channel

fraserC · ‎03-22-2018

Need help.

Configuring interfaces on FPR4110 FXOS v2.3(1.58), all 1 Gig interface connecting to a single switch.

It was no issue for eth1/1, 1/2, 1/3, 1/4 when I set them speed =1gbps, all came UP ok. However after I created a port-channel and added one interface, it went down immediately. I checked port-channel is down due to member-port eth1/3 “suspended(no LACP PDU)”. Same result for other 3 interfaces.

I tried to change the connecting switch from a 3COM 3C16479 switch to Catalyst 3750X, they are all in default config as flat L2 switch. Is there anything special need to set on the switch?

FPRFW02-A(fxos)# show interface ethernet 1/3

Ethernet1/3 is down (suspended(no LACP PDU))

Dedicated Interface

Belongs to Po3

Hardware: 1000/10000 Ethernet, address: 70db.9819.93fe (bia 70db.9819.93fe)

Description: U: Uplink

MTU 9216 bytes, BW 1000000 Kbit, DLY 10 usec

reliability 255/255, txload 1/255, rxload 1/255

Encapsulation ARPA

Port mode is dot1q-tunnel

full-duplex, 1000 Mb/s, media type is 1G

Beacon is turned off

Input flow-control is off, output flow-control is off

Rate mode is dedicated

Switchport monitor is off

EtherType is 0x8100

Last link flapped 00:01:01

Last clearing of "show interface" counters never

7 interface resets

30 seconds input rate 632 bits/sec, 0 packets/sec

30 seconds output rate 16 bits/sec, 0 packets/sec

Load-Interval #2: 5 minute (300 seconds)

input rate 200 bps, 0 pps; output rate 192 bps, 0 pps

RX

fraserC · ‎03-26-2018

Seems I messed up the concept of clustering and high availability. I want to achieve 2x FPR4110 chassis HA but had been looking at ASA clustering for a week. Tried switch ether-channel setting, it worked on mgmt port and cluster control port, but still have all data-ports suspended due to lacp pdu error, then I gave up the clustering solution.

I changed FXOS interface setting from port-channel back to normal interface, start as single ASA; then config HA with each logical ASA. It worked out no problem.

High Availability (HA) vs. Clustering

Configuring high availability, also called failover, requires two identical FPR devices connected to each other through a dedicated failover link and, optionally, a state link. This is similar to legacy ASA 5500 appliance HA.

Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.

View solution in original post

Marvin Rhoads · ‎03-22-2018

Have you assigned the portchannel to your logical device?

Until you do, it will definitely stay down. The logical device controls and activates the parameters such as LACP mode.

fraserC · ‎03-23-2018

yes, all port channels are added to logical device. I noticed this when trying to build clustering.

for port-channel48, I put a straight cable between the 2 chassis's eth1/1, it come up.

It really looks like something with the switch

fraserC · ‎03-23-2018

Figured out. The resolution is to configure the connecting switch, enable channel-group on each port discretely.

doc: Deploy a Cluster for Firepower Threat Defense

“Device-local EtherChannels.For cluster unit Device-local EtherChannels including any EtherChannels configured for the cluster control link, be sure to configure discrete EtherChannels on the switch; do not combine multiple cluster unit EtherChannels into one EtherChannel on the switch.”

Switch(config)# interface range gigabitethernet1/0/15

Switch(config-if-range)# switchport mode access

Switch(config-if-range)# switchport access vlan 1

Switch(config-if-range)# channel-group 5 mode active

Creating a port-channel interface Port-channel 5

After the channel-group command, the FPR4110’s port-channel and member port are both up. my 3750X switch was in default config, so it's vlan1 by default.

fraserC · ‎03-26-2018

Seems I messed up the concept of clustering and high availability. I want to achieve 2x FPR4110 chassis HA but had been looking at ASA clustering for a week. Tried switch ether-channel setting, it worked on mgmt port and cluster control port, but still have all data-ports suspended due to lacp pdu error, then I gave up the clustering solution.

I changed FXOS interface setting from port-channel back to normal interface, start as single ASA; then config HA with each logical ASA. It worked out no problem.

High Availability (HA) vs. Clustering

Configuring high availability, also called failover, requires two identical FPR devices connected to each other through a dedicated failover link and, optionally, a state link. This is similar to legacy ASA 5500 appliance HA.

Clustering lets you group multiple Firepower 4100/9300 chassis ASAs together as a single logical device. A cluster provides all the convenience of a single device (management, integration into a network) while achieving the increased throughput and redundancy of multiple devices.