10-13-2019 05:04 AM
Hi All,
I am trying to bring up a cluster interface for which I have used a Layer 2 switch and Cisco ASA. I have identical ports connected at both the ASAs which terminate in the switch. I am using LACP mode active at both switch and ASA but the port-channel is not coming up. I am attaching the runnings of both ASAs and switch in anticipation that some expert might be able to help me.
TIA.
10-13-2019 05:57 AM
Hello
I dont have access to any 5520 asa's however I see your not using the channel-group x on the FW interfaces, Just had a quick check and it seems the ASA5520 should support such commands
10-13-2019 06:00 AM
@paul driverThank you for looking into it. I have already added the interfaces in bundle(channel-group X mode active). Relevant commands are also present. Could you please elaborate which command is missing?
10-13-2019 08:19 AM - edited 10-13-2019 08:20 AM
Hello
Apologies - I couldn't see it on the attached file from my phone, after reviewing it now though i dont see the physical ports set as switchports unless they are already, I assume these ports are routed ports by default, so unless you make those ports layer 2 before you add them to a port channel then connection between the switch wont happen.
Try removing the port-channel, defaulting the physical interfaces and then recreate the PC after the physical ports are in switch-port mode.
10-13-2019 10:42 AM
@paul driver It is completely ok. I am afraid that I will not be able to check it further today but I was continously getting the following syslog on my switch:
LACP currently not enabled on the remote port.
I would like to point that LACP was enable on the remote port. I will re-create the port-channel and wipe out any extra configurations and let you know.
10-13-2019 07:04 AM
Hello,
on your ASA1, is this a typo ?
interface Ethernet1
channel-group 1 mode active
shutdown
Also, on the switch, try and remove:
channel-protocol lacp
on the channel member interfaces:
interface Ethernet0/1
description to ASA3 e1
switchport trunk encapsulation dot1q
switchport mode trunk
--> no channel-protocol lacp
channel-group 1 mode active
10-13-2019 10:29 AM
@Georg Pauwen Thank you for your reply. That was a typo for the interface being shut. Moreover, I had added this command (channel-protocol lacp) for troubleshooting purposes but it was to no avail. However, I will remove it as you suggested.
10-13-2019 12:42 PM
Hello,
also, from both ASAs, post the output of:
show cluster info
and from the switch:
show etherchannel summary
10-14-2019 07:56 AM
@Georg PauwenI am constantly receiving the following syslog on switch:
%EC-5-L3DONTBNDL2: Et0/1 suspended: LACP currently not enabled on the remote port
From first ASA:
ASA3# show cluster info
Cluster XXXX: On
Interface mode: spanned
This is "ASA3" in state MASTER
ID : 0
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 10.100.203.1
CCL MAC : 5000.0023.0002
Last join : 14:42:34 UTC Oct 14 2019
Last leave: N/A
Other members in the cluster:
Unit "ASA4" in state SLAVE
ID : 1
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 10.100.203.2
CCL MAC : 5000.0024.0002
Last join : 14:42:34 UTC Oct 14 2019
Last leave: N/A
Second ASA:
ASA3# show cluster info
Cluster XXXX: On
Interface mode: spanned
This is "ASA4" in state SLAVE
ID : 1
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 10.100.203.2
CCL MAC : 5000.0024.0002
Last join : 14:42:48 UTC Oct 14 2019
Last leave: N/A
Other members in the cluster:
Unit "ASA3" in state MASTER
ID : 0
Version : 9.1(5)16
Serial No.: JMX1203L0NN
CCL IP : 10.100.203.1
CCL MAC : 5000.0023.0002
Last join : 14:42:34 UTC Oct 14 2019
Last leave: N/A
Switch output:
show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use N - not in use, no aggregation
f - failed to allocate aggregator
M - not in use, minimum links not met
m - not in use, port not aggregated due to minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
A - formed by Auto LAG
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SD) LACP Et0/0(s) Et0/1(s) Et1/0(s)
Et1/1(s)
10-14-2019 07:57 AM
@Georg Pauwen I have removed both the commands but the PC is not coming up.
10-14-2019 08:53 AM
Hello
did you remove the old PC config from the FW and set the physical interfaces to switchport mode?
Also try just creating the PC from the active ASA Only and use a static PC (no lacp) on both the switch and the FW- test again
10-14-2019 08:59 AM
Hi @paul driver . I did it with on and it worked. But don't you think that it is against span-clustering to work in any other mode than LACP?
10-14-2019 10:06 AM - edited 10-14-2019 10:13 AM
Glad it’s now working - Sometimes lacp negotiation can inpead the aggregation from forming which obviously that is happening here and as I understand it is indeed required for a spanned cluster however I’m not so sure if the cluster has to be in active/active HA scenario for it to work ? Probably need to check that!
Does the PC work when just connecting via the active asa and using lacp? If not have you tried using Cisco’s own proprietary link negotiation pagp ?
10-17-2019 09:06 AM
Hi @paul driver ,
I am practicing it on a Layer 2 (IOL image) switch and Cisco ASA image(asa915-16-k8-CL-L). Do you suspect any compatibility issues with these images?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide