cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4763
Views
5
Helpful
2
Replies

ASA 5585x Active/Standby - Port-Channel - Standby ports not in the bundle.

c-davies
Level 1
Level 1

Hello, 

 

I have two ASA5585x ASA in basic Active/Standby configuration in multiple context mode. The failover is configured and working, the ports appear in the ASA port-channel bundle. However on the single switch (testing) they are both connected to the standby ports are not part of the bundle but correctly configured. The standby asa connected ports on the switch are orange. Spanning tree is disabled for the vlans.

Failover from active to standby is ok. 

I cant issue "failover active" on the primary asa as the switch ports its connected to are orange/not part of the bundle it fails and goes back to standby. 

If I pull the active/secondary units cables the primary unit becomes active now and the switch ports its connected to go green. 

The question is I guess, why are the switch port, that the standby asa connects to in 'stand-alone' mode?

 

Thanks

Chris

 

 

 

ASA Config.

!
interface GigabitEthernet0/0
 description # Channel Group 10 to Nexus #
 channel-group 10 mode active
!
interface GigabitEthernet0/1
 description # Channel Group 10 to Nexus #
 channel-group 10 mode active

!

interface Port-channel10
 description - Port Channel to Nexus
!
interface Port-channel10.2
 description Management / Inside interface to Corp
 vlan 2
!
interface Port-channel10.4
 description DINGDONG Interface
 vlan 4
!

 

 

show port-channel 10
Span-cluster port-channel: No
Ports: 6   Maxports = 16
Port-channels: 1 Max Port-channels = 48
Protocol: LACP/ active
Minimum Links: 1
Maximum Bundle: 8
Load balance: src-dst-ip

show int port-channel 10
Interface Port-channel10 "", is up, line protocol is up
  Hardware is EtherChannel/LACP, BW 200 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Input flow control is unsupported, output flow control is off
        Description: - Port Channel to Nexus (not really its a single 2960 switch)
        Available for allocation to a context
        MAC address 3c08.f6a9.3586, MTU not set
        IP address unassigned
  Members in this channel:
      Active:   Gi0/1 Gi0/0
      Inactive: Gi0/4 Gi0/3 Gi0/2 Gi0/5

 

The switch...

 

!
interface Port-channel10
 description * port ch 10 for Cust apps to firewall. *
 switchport trunk encapsulation dot1q
 switchport mode trunk

!

!
interface FastEthernet0/21
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 10 mode active
 spanning-tree portfast
!
interface FastEthernet0/22
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 10 mode active
!
interface FastEthernet0/23
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 10 mode active
!
interface FastEthernet0/24
 description Port-channel 10
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 10 mode active
!

 

 Port-channels in the group:
                ---------------------------

Port-channel: Po10    (Primary Aggregator)

------------

Age of the Port-channel   = 0d:05h:41m:20s
Logical slot/port   = 1/1          Number of ports = 2
HotStandBy port = null
Port state          = Port-channel Ag-Inuse
Protocol            =   LACP

Ports in the Port-channel:

Index   Load   Port     EC state        No of bits
------+------+------+------------------+-----------
  0     00     Fa0/22   Active             0
  0     00     Fa0/24   Active             0

Time since last port bundled:    0d:01h:01m:30s    Fa0/24
Time since last port Un-bundled: 0d:01h:01m:44s    Fa0/21

 

 

CS-Switch#show etherchannel 10 summary
Flags:  D - down        P - in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        u - unsuitable for bundling
        U - in use      f - failed to allocate aggregator
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
10     Po10(SU)        LACP      Fa0/21(I)   Fa0/22(P)   Fa0/23(I)
                                 Fa0/24(P)

 

 

 

 

                Ports in the group:
                -------------------
Port: Fa0/21
------------

Port state    = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 10          Mode = Active          Gcchange = -
Port-channel  = null        GC   =   -             Pseudo port-channel = Po10
Port index    = 0           Load = 0x00            Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
        A - Device is in active mode.        P - Device is in passive mode.

Local information:
                            LACP port     Admin     Oper    Port     Port
Port      Flags   State     Priority      Key       Key     Number   State
Fa0/21    SA      indep     32768         0xA       0xA     0x15     0x5

Partner's information:

                  LACP port                        Oper    Port     Port
Port      Flags   Priority  Dev ID         Age     Key     Number   State
Fa0/21    FA      32768     3c08.f6a9.357a  13s    0xA     0x2      0xF

Age of the port in the current state: 0d:01h:00m:28s

Port: Fa0/22
------------

Port state    = Up Mstr In-Bndl
Channel group = 10          Mode = Active          Gcchange = -
Port-channel  = Po10        GC   =   -             Pseudo port-channel = Po10
Port index    = 0           Load = 0x00            Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
        A - Device is in active mode.        P - Device is in passive mode.

Local information:
                            LACP port     Admin     Oper    Port     Port
Port      Flags   State     Priority      Key       Key     Number   State
Fa0/22    SA      bndl      32768         0xA       0xA     0x16     0x3D

Partner's information:

                  LACP port                        Oper    Port     Port
Port      Flags   Priority  Dev ID         Age     Key     Number   State
Fa0/22    SA      32768     3c08.f6a9.3586  17s    0xA     0x2      0x3D

Age of the port in the current state: 0d:00h:59m:55s

Port: Fa0/23
------------

Port state    = Up Sngl-port-Bndl Mstr Not-in-Bndl
Channel group = 10          Mode = Active          Gcchange = -
Port-channel  = null        GC   =   -             Pseudo port-channel = Po10
Port index    = 0           Load = 0x00            Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
        A - Device is in active mode.        P - Device is in passive mode.

Local information:
                            LACP port     Admin     Oper    Port     Port
Port      Flags   State     Priority      Key       Key     Number   State
Fa0/23    SA      indep     32768         0xA       0xA     0x17     0x5

Partner's information:

                  LACP port                        Oper    Port     Port
Port      Flags   Priority  Dev ID         Age     Key     Number   State
Fa0/23    FA      32768     3c08.f6a9.357a   4s    0xA     0x1      0xF

Age of the port in the current state: 0d:01h:00m:34s

Port: Fa0/24
------------

Port state    = Up Mstr In-Bndl
Channel group = 10          Mode = Active          Gcchange = -
Port-channel  = Po10        GC   =   -             Pseudo port-channel = Po10
Port index    = 0           Load = 0x00            Protocol =   LACP

Flags:  S - Device is sending Slow LACPDUs   F - Device is sending fast LACPDUs.
        A - Device is in active mode.        P - Device is in passive mode.

Local information:
                            LACP port     Admin     Oper    Port     Port
Port      Flags   State     Priority      Key       Key     Number   State
Fa0/24    SA      bndl      32768         0xA       0xA     0x18     0x3D

Partner's information:

                  LACP port                        Oper    Port     Port
Port      Flags   Priority  Dev ID         Age     Key     Number   State
Fa0/24    SA      32768     3c08.f6a9.3586   3s    0xA     0x1      0x3D

Age of the port in the current state: 0d:00h:59m:57s

 

2 Replies 2

solareonx
Level 1
Level 1

Little late on this answer but others may find this helpful.

Port channels on ASAs in a Active/Standby configuration have two different system IDs that are presented to the device that the etherchannel is being formed with. To account for this on the switch side the interfaces need to be in two separate port channels like the following

Firewall A Portchannel 10 -> Switch A on PortChannel 10

Firewall B Portchannel 10 -> Switch A on PortChannel 20

The firewall does not act in the same manner as a VPC from a Nexus switch where the system id in the port channel is the same for both devices. Configuring it as above it should result in both ports being bundled on both firewalls and the switch side.

Found this post when I was researching for my own issue related...

 

Wonder if this is something ASA code changed in 9.8.x. I have a pair of new ASA-x and I put all four interfaces on switch side into the same etherchannel. They all show up in the bundle just the ones connected to Secondary ASA is suspended but failover worked just fine for me.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco