Solved: Re: CISCO 2960X etherchannel with Checkpoint / Span blocking one member after software upgrade

Brinkmann.Denise · ‎12-09-2020

Good evening,

we are running a CISCO 2960X with an LACP etherchannel to a port bond on our Checkpoint with abouth 7 VLANs using the bond.

This was running fine on 15.2(2)E4.

In a short maintenance we rebooted the switch, knowing that it would upgrade to 15.2(4)E7.

After that, one member of the etherchannel got blocked, but for only two different VLANs. Following, Checkpoint's ARP table got incomplete.

We did some researches for about three hours but couldn't find the solution.

Finally we backed up to the previous version.

Does someone have an idea, what could this have caused? Or did we faced just a mean bug?

Greetings

balaji.bandi · ‎12-09-2020

Can you post the interface (PO) config and what is the Logs show when it blocking to understand?

show spanning tree for that vlans

is this Checkpoint HA or single ? if HA is this Secure XL or cluster XL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Brinkmann.Denise · ‎12-09-2020

Hi there! Thank you for your fast reply.

Checkpoint is running on ClusterXL.

The Port-Channel and it's ports are configured as following:

Both Gigabitports are configured for trunk and channel-group 20 mode active.

interface Port-channel20
description Checkpoint
switchport mode trunk

Here is the logs we still have after rebooting and downgrading:

On switch

VLAN0555
Spanning tree enabled protocol rstp
Root ID Priority 33323
Address 00b0.e1f7.0b00
Cost 3
Port 528 (Port-channel10)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)
Address 346f.90f2.3000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/10 Desg FWD 4 128.10 P2p
Gi1/0/27 Desg FWD 4 128.27 P2p Edge
Gi1/0/28 Desg FWD 4 128.28 P2p Edge
Gi1/0/29 Desg FWD 4 128.29 P2p Edge
Gi1/0/30 Desg FWD 4 128.30 P2p Edge
Gi1/0/39 Desg FWD 4 128.39 P2p Edge
Po10 Root FWD 3 128.528 P2p
Po20 Desg BLK 3 128.608 P2p

On Checkpoint
Checkpoint# cphaprob -a if

CCP mode: Automatic
Required interfaces: 11
Required secured interfaces: 1

bond2 UP non sync(non secured), unicast, bond Load Sharing
eth6 UP non sync(non secured), unicast (eth6.523)
bond0 DOWN (1795.9 secs) non sync(non secured), unicast, bond Load Sharing (bond0.3953)
eth3 UP non sync(non secured), unicast (eth3.1301)
eth1 UP non sync(non secured), unicast (eth1.85)
bond0 DOWN (1795.9 secs) non sync(non secured), unicast, bond Load Sharing (bond0.555)
eth5 UP non sync(non secured), unicast (eth5.790)
eth1 UP sync(secured), unicast (eth1.751)
eth3 UP non sync(non secured), unicast (eth3.255)
eth4 UP non sync(non secured), unicast (eth4.3952)
eth4 UP non sync(non secured), unicast (eth4.110)
eth6 UP non sync(non secured), unicast (eth6.118)
eth5 UP non sync(non secured), unicast (eth5.780)

I'm upset that is all we got.

View solution in original post

balaji.bandi · ‎12-10-2020

this worries part :

Po20 Desg BLK 3 128.608 P2p

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎12-09-2020

Can you post the interface (PO) config and what is the Logs show when it blocking to understand?

show spanning tree for that vlans

is this Checkpoint HA or single ? if HA is this Secure XL or cluster XL ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Brinkmann.Denise · ‎12-09-2020

Hi there! Thank you for your fast reply.

Checkpoint is running on ClusterXL.

The Port-Channel and it's ports are configured as following:

Both Gigabitports are configured for trunk and channel-group 20 mode active.

interface Port-channel20
description Checkpoint
switchport mode trunk

Here is the logs we still have after rebooting and downgrading:

On switch

VLAN0555
Spanning tree enabled protocol rstp
Root ID Priority 33323
Address 00b0.e1f7.0b00
Cost 3
Port 528 (Port-channel10)
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 33323 (priority 32768 sys-id-ext 555)
Address 346f.90f2.3000
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi1/0/10 Desg FWD 4 128.10 P2p
Gi1/0/27 Desg FWD 4 128.27 P2p Edge
Gi1/0/28 Desg FWD 4 128.28 P2p Edge
Gi1/0/29 Desg FWD 4 128.29 P2p Edge
Gi1/0/30 Desg FWD 4 128.30 P2p Edge
Gi1/0/39 Desg FWD 4 128.39 P2p Edge
Po10 Root FWD 3 128.528 P2p
Po20 Desg BLK 3 128.608 P2p

On Checkpoint
Checkpoint# cphaprob -a if

CCP mode: Automatic
Required interfaces: 11
Required secured interfaces: 1

bond2 UP non sync(non secured), unicast, bond Load Sharing
eth6 UP non sync(non secured), unicast (eth6.523)
bond0 DOWN (1795.9 secs) non sync(non secured), unicast, bond Load Sharing (bond0.3953)
eth3 UP non sync(non secured), unicast (eth3.1301)
eth1 UP non sync(non secured), unicast (eth1.85)
bond0 DOWN (1795.9 secs) non sync(non secured), unicast, bond Load Sharing (bond0.555)
eth5 UP non sync(non secured), unicast (eth5.790)
eth1 UP sync(secured), unicast (eth1.751)
eth3 UP non sync(non secured), unicast (eth3.255)
eth4 UP non sync(non secured), unicast (eth4.3952)
eth4 UP non sync(non secured), unicast (eth4.110)
eth6 UP non sync(non secured), unicast (eth6.118)
eth5 UP non sync(non secured), unicast (eth5.780)

I'm upset that is all we got.

balaji.bandi · ‎12-10-2020

this worries part :

Po20 Desg BLK 3 128.608 P2p

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help