07-22-2013 10:52 AM - edited 03-07-2019 02:31 PM
Hi,
I've two ASAs 5515 connected in failover Active/Stand by (on Gi0/5)
My two ASAs are connected to two Switch ProCurve 2920 to have HA if something happens. So I plug something like that (don't pay attention to the arrows) :
So one the ASA, I created a Port-Channel like that :
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0 standby 192.168.1.4
!
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 1 mode passive
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode passive
no nameif
no security-level
no ip address
!
interface Port-channel1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0 standby 192.168.8.2
!
interface Port-channel1.10
vlan 10
nameif guest
security-level 50
ip address 172.16.100.2 255.255.255.224 standby 172.16.100.3
!
interface Port-channel1.16
vlan 16
nameif dmz
security-level 50
ip address 192.168.16.1 255.255.255.0 standby 192.168.16.2
On the switch, I created a trunk LACP capable with the port 1 and 2 on each switch, force the speed to 1000 and put the port un full duplex mode.
BUT this is not working... I tried many things and I can't make it work.
In this configuration, I can't ping anything between my ASA and my Switch (or any object connected). Here what I get on my ASA :
Channel group 1
LACP port Admin Oper Port Port
Port Flags State Priority Key Key Number State
-----------------------------------------------------------------------------
Gi0/2 SP not-bndl 32768 0x1 0x1 0x3 0xc
Gi0/1 FP not-bndl 32768 0x1 0x1 0x2 0x6
And on the Switchs :
PORT LACP TRUNK PORT LACP LACP
NUMB ENABLED GROUP STATUS PARTNER STATUS
----- ------- ----- ------ ------- ------
1 Active trk1 Broken Yes Failure
2 Active trk1 Broken Yes Failure
If I change the Cisco interface to LACP mode On, I can ping the switch from the ASA but nothing other objects conneted on the switch. If I look at the statut of LACP on the switch I see this :
PORT LACP TRUNK PORT LACP LACP
NUMB ENABLED GROUP STATUS PARTNER STATUS
----- ------- ----- ------ ------- ------
1 Active trk1 Up No Success
2 Active trk1 Up No Success
I don't have any clue on what's going on so If someone have any idea and help me on this, it would be great !
Feel free to ask me anything if you need any more information !
Thanks a lot !
07-22-2013 01:28 PM
Romain,
I am afraid this won't work. All physical links in an EtherChannel must be connected between the same pair of devices. In your case, this requirement is not met, so an EtherChannel can not be deployed successfully.
I do not actually see a need or a sensible use for EtherChannels in your network, though. What were you trying to accomplish?
Best regards,
Peter
07-22-2013 10:39 PM
Hi Peter,
Thank you for helping me.
Basically, I would like to be able to "loose a switch" and be sure that the other switch can still work and contact the firewalls.
I would like to distribute all my Vlans through the trunk (and IP associated) and be sure that the primary ASA can be reached by the same IP on the two switch.
I'm trying to make something redundant.
Do you think it's possible ?
Have a nice day
Romain
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide