04-22-2014 08:02 AM - edited 03-07-2019 07:10 PM
Hello,
I have two ASA5585x ASA in basic Active/Standby configuration in multiple context mode. The failover is configured and working, the ports appear in the ASA port-channel bundle. However on the single switch (testing) they are both connected to the standby ports are not part of the bundle but correctly configured. The standby asa connected ports on the switch are orange. Spanning tree is disabled for the vlans.
Failover from active to standby is ok.
I cant issue "failover active" on the primary asa as the switch ports its connected to are orange/not part of the bundle it fails and goes back to standby.
If I pull the active/secondary units cables the primary unit becomes active now and the switch ports its connected to go green.
The question is I guess, why are the switch port, that the standby asa connects to in 'stand-alone' mode?
Thanks
Chris
ASA Config.
!
interface GigabitEthernet0/0
description # Channel Group 10 to Nexus #
channel-group 10 mode active
!
interface GigabitEthernet0/1
description # Channel Group 10 to Nexus #
channel-group 10 mode active
!
interface Port-channel10
description - Port Channel to Nexus
!
interface Port-channel10.2
description Management / Inside interface to Corp
vlan 2
!
interface Port-channel10.4
description DINGDONG Interface
vlan 4
!
show port-channel 10
Span-cluster port-channel: No
Ports: 6 Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip
show int port-channel 10
Interface Port-channel10 "", is up, line protocol is up
Hardware is EtherChannel/LACP, BW 200 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Input flow control is unsupported, output flow control is off
Description: - Port Channel to Nexus (not really its a single 2960 switch)
Available for allocation to a context
MAC address 3c08.f6a9.3586, MTU not set
IP address unassigned
Members in this channel:
Active: Gi0/1 Gi0/0
Inactive: Gi0/4 Gi0/3 Gi0/2 Gi0/5
The switch...
!
interface Port-channel10
description * port ch 10 for Cust apps to firewall. *
switchport trunk encapsulation dot1q
switchport mode trunk
!
!
interface FastEthernet0/21
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
spanning-tree portfast
!
interface FastEthernet0/22
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface FastEthernet0/23
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
interface FastEthernet0/24
description Port-channel 10
switchport trunk encapsulation dot1q
switchport mode trunk
channel-group 10 mode active
!
Port-channels in the group:
---------------------------
Port-channel: Po10 (Primary Aggregator)
------------
Age of the Port-channel = 0d:05h:41m:20s
Logical slot/port = 1/1 Number of ports = 2
HotStandBy port = null
Port state = Port-channel Ag-Inuse
Protocol = LACP
Ports in the Port-channel:
Index Load Port EC state No of bits
------+------+------+------------------+-----------
0 00 Fa0/22 Active 0
0 00 Fa0/24 Active 0
Time since last port bundled: 0d:01h:01m:30s Fa0/24
Time since last port Un-bundled: 0d:01h:01m:44s Fa0/21
CS-Switch#show etherchannel 10 summary
Flags: D - down P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
u - unsuitable for bundling
U - in use f - failed to allocate aggregator
d - default port
Number of channel-groups in use: 1
Number of aggregators: 1
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
10 Po10(SU) LACP Fa0/21(I) Fa0/22(P) Fa0/23(I)
Fa0/24(P)
Ports in the group:
-------------------
Port: Fa0/21
------------
Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 10 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po10
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/21 SA indep 32768 0xA 0xA 0x15 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/21 FA 32768 3c08.f6a9.357a 13s 0xA 0x2 0xF
Age of the port in the current state: 0d:01h:00m:28s
Port: Fa0/22
------------
Port state = Up Mstr In-Bndl
Channel group = 10 Mode = Active Gcchange = -
Port-channel = Po10 GC = - Pseudo port-channel = Po10
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/22 SA bndl 32768 0xA 0xA 0x16 0x3D
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/22 SA 32768 3c08.f6a9.3586 17s 0xA 0x2 0x3D
Age of the port in the current state: 0d:00h:59m:55s
Port: Fa0/23
------------
Port state = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 10 Mode = Active Gcchange = -
Port-channel = null GC = - Pseudo port-channel = Po10
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/23 SA indep 32768 0xA 0xA 0x17 0x5
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/23 FA 32768 3c08.f6a9.357a 4s 0xA 0x1 0xF
Age of the port in the current state: 0d:01h:00m:34s
Port: Fa0/24
------------
Port state = Up Mstr In-Bndl
Channel group = 10 Mode = Active Gcchange = -
Port-channel = Po10 GC = - Pseudo port-channel = Po10
Port index = 0 Load = 0x00 Protocol = LACP
Flags: S - Device is sending Slow LACPDUs F - Device is sending fast LACPDUs.
A - Device is in active mode. P - Device is in passive mode.
Local information:
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
Fa0/24 SA bndl 32768 0xA 0xA 0x18 0x3D
Partner's information:
LACP port Oper Port Port
Port Flags Priority Dev ID Age Key Number State
Fa0/24 SA 32768 3c08.f6a9.3586 3s 0xA 0x1 0x3D
Age of the port in the current state: 0d:00h:59m:57s
11-07-2016 04:48 AM
Little late on this answer but others may find this helpful.
Port channels on ASAs in a Active/Standby configuration have two different system IDs that are presented to the device that the etherchannel is being formed with. To account for this on the switch side the interfaces need to be in two separate port channels like the following
Firewall A Portchannel 10 -> Switch A on PortChannel 10
Firewall B Portchannel 10 -> Switch A on PortChannel 20
The firewall does not act in the same manner as a VPC from a Nexus switch where the system id in the port channel is the same for both devices. Configuring it as above it should result in both ports being bundled on both firewalls and the switch side.
01-24-2018 03:36 PM
Found this post when I was researching for my own issue related...
Wonder if this is something ASA code changed in 9.8.x. I have a pair of new ASA-x and I put all four interfaces on switch side into the same etherchannel. They all show up in the bundle just the ones connected to Secondary ASA is suspended but failover worked just fine for me.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: