EtherChannel blocking incoming packets??

Gioacchino · ‎06-17-2024

[C9300-48P 17.03.04]

I had the L2 etherchannel (directly connected to a Fortinet 100E) working for maximum of a half day, now it seems incmoing packets are dropped.

Behind the etherchannel there are different MAC addresses. It's true that the switch is configured with many restrict rules at global level, but I removed them from the PoX and from the members of the etherchannel.

While pinging IP addresses on the Fortinet side, I can see the ICMP request and replies from the interfaces but it seems they are not allowed to enter the switch.

the MAC-address table looks good, port-security shows that the physical interfaces involved are not impacted. "ip arp insepction trust" is enabled on the PoX and the members.

Logs don't show anything (I anonymized the MAC addresses but be sure they are different in the output). Both sides the etherchannel is up, as well as the interfaces.

SWITCH#show port-security interface g1/0/15
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : e81c.****.cccc:100
Security Violation Count : 0

SWITCH#show port-security interface g1/0/18
Port Security : Disabled
Port Status : Secure-down
Violation Mode : Shutdown
Aging Time : 0 mins
Aging Type : Absolute
SecureStatic Address Aging : Disabled
Maximum MAC Addresses : 1
Total MAC Addresses : 0
Configured MAC Addresses : 0
Sticky MAC Addresses : 0
Last Source Address:Vlan : e81c.****.bbbb:100
Security Violation Count : 0

I don't know what think more...

Gio

Kasun Bandara · ‎06-17-2024

@Gioacchino hi, according to output your port security is not in effect. so its not blocking the traffic due to port security. check if your VLANs and Port channel status.

share the#sh vlan, #sh ether-channel sum

Please rate this and mark as solution/answer, if this resolved your issue
Good luck
KB

Gioacchino · ‎06-17-2024

@Kasun Bandara,

all looks good. The etherchannel is up

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
99 Po99(SU) LACP Gi1/0/15(P) Gi1/0/18(P)

The VLAN is there from before, the MAC-address table shows the MAC addresses on the side of the Fortinet are behind the right interface, i.e. po99.

Gio

MHM Cisco World · ‎06-17-2024

Yes mac is learn from po99 but in which vlan?

MHM

Gioacchino · ‎06-17-2024

Yes, in the right VLAN.

show mac address-table dynamic interface po99

shows that the MAC address has been learnt in the right VLAN.

MHM Cisco World · ‎06-17-2024

9000#show controllers ethernet-controller interface x/x/x | i ValidOverSize

can you share this for interface connect to FW

also share
show port-channel summary

MHM

Gioacchino · ‎06-18-2024

SWITCH#show controllers ethernet-controller g1/0/15 | i ValidOverSize
0 Deferred frames 0 ValidOverSize frames
SWITCH#show controllers ethernet-controller g1/0/18 | i ValidOverSize
0 Deferred frames 0 ValidOverSize frames
SWITCH#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator

M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port

A - formed by Auto LAG

Number of channel-groups in use: 1
Number of aggregators: 1

Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
99 Po99(SU) LACP Gi1/0/15(P) Gi1/0/18(P)

MHM Cisco World · ‎06-18-2024

ping from FW and use below in SW to see if SW see the packet or not

9300_54#monitor capture CL interface PO99 in
9300_54#monitor capture CL match any
9300_54#monitor capture CL start
9300_54#monitor capture CL stop <<- dont forget stop capture to not full your memory
9300_54#monitor capture CL export location flash:cl.pcap
9300_54#sh monitor capture file flash:cl.pcap display-filter arp

MHM

MHM Cisco World · ‎06-20-2024

Any News

MHM

Gioacchino · ‎06-20-2024

Maybe some punctuation?
Anyway, it's an ongoing process with TAC. So far, we can see that there is nothing wrong in the way how the etherchannel was built.

Let's see...

MHM Cisco World · ‎06-20-2024

Ok' let wait TAC reply

Can yoh share

Show interface <PO99> accounting

When issue appear again

Thanks

MHM