06-19-2019 05:39 AM
I am having issues creating an Trunked Etherchannel between a switch and an ASA firepower 4120. I have an etherchannel up that is an access etherchannel and it works fine, the problem comes when I try to trunk it. I have tried a non-etherchannel trunk port and it works too. This is my first setup of a firepower device with the ASA software, so I was wondering if anyone else has experience or knowledge of why this will not work.
The configs seem pretty straight forward, but I may have missed something.
For the switch I have the interfaces configured like this:
interface TenGigabitEthernet1/1/5
switchport trunk native vlan 100
switchport trunk allowed vlan 180
switchport mode trunk
switchport nonegotiate
channel-group 1 mode active
spanning-tree portfast disable
spanning-tree bpduguard disable
!port channel like this
interface Port-channel1
switchport trunk native vlan 100
switchport trunk allowed vlan 180
switchport mode trunk
switchport nonegotiate
spanning-tree portfast disable
spanning-tree bpduguard disable
___________________________
on the Firepower Chassis manager I bundled two ports into an etherchannel and set them to enable
on the ASA software, I did the following
interface Port-channel2
no nameif
no security-level
no ip address
!
interface Port-channel2.180
vlan 180
nameif outside
security-level 0
ip address x.x.x.x m.m.m.m
______________________________
on the switch, after a no shut, I get the following error and the Etherchannel does not start:
%LINK-3-UPDOWN: Interface Port-channel1, changed state to down
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/5, changed state to up
%LINK-3-UPDOWN: Interface TenGigabitEthernet1/1/6, changed state to up
%ETC-5-L3DONTBNDL2: Te1/1/5 suspended: LACP currently not enabled on the remote port.
%ETC-5-L3DONTBNDL2: Te1/1/6 suspended: LACP currently not enabled on the remote port.
Any ideas on what has been missed, or what could be causing the issue?
06-19-2019 06:05 AM
06-19-2019 06:40 AM
I have set the switch to on and the switch side comes up, but not the ASA/Firepower side. I read in documentation that FXOS requires LACP. The access port etherchannel that I have currently would not come up until I made it "active" instead of "on".
How do I make sure the ASA (or maybe even FXOS) understands LACP?
06-19-2019 07:14 AM
06-19-2019 08:03 AM
The physical link is up and the channel-group is set to active and it is also associated to a logical device (ASA), however it is still appearing down.
06-19-2019 09:19 AM
06-19-2019 10:02 AM
I have not. the CLI of the ASA does not show the interfaces that are associated with the PortChannel, only the portchannel itself since the Portchannel is configured from the chasis.
show int | i Interface
Interface Port-channel2 "", is down, line protocol is down
Interface Port-channel2.180 "outside", is down, line protocol is down
06-19-2019 10:53 AM
06-19-2019 12:04 PM
yes, it is set to type Data
show port-channel
Port Channel:
Port Channel Id Name Port Type Admin State Oper State State Reason
--------------- ---------------- ------------------ ----------- ---------------- ------------
2 Port-channel2 Data Enabled Failed No operational members
48 Port-channel48 Cluster Disabled Admin Down Administratively down
06-19-2019 12:50 PM
06-21-2019 10:42 AM
Grant,
Thank you very much for looking at this form me.
I found that etherchannels in the code I was using were not stable. I ended up updating FXOS from 2.2.2.17 to 2.4.1.214 and ASA from 9.8.2 to 9.8.4.
This allowed me to go from an "active" LACP state to an "on" state in the etherchannel from the FCM, and everything came up.
06-21-2019 12:00 PM
Hi Brian,
Thanks for the update. Always good to find out what the fix was to help others who might come across funny ones like this. Glad it's all working.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide