LACP : Cisco ASA 5515 & Switch ProCurve 2920

romainamardeil · ‎07-22-2013

Hi,

I've two ASAs 5515 connected in failover Active/Stand by (on Gi0/5)

My two ASAs are connected to two Switch ProCurve 2920 to have HA if something happens. So I plug something like that (don't pay attention to the arrows) :

So one the ASA, I created a Port-Channel like that :

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.1.3 255.255.255.0 standby 192.168.1.4

!

interface GigabitEthernet0/1

speed 1000

duplex full

channel-group 1 mode passive

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

speed 1000

duplex full

channel-group 1 mode passive

no nameif

no security-level

no ip address

!

interface Port-channel1.1

vlan 1

nameif inside

security-level 100

ip address 192.168.8.1 255.255.255.0 standby 192.168.8.2

!

interface Port-channel1.10

vlan 10

nameif guest

security-level 50

ip address 172.16.100.2 255.255.255.224 standby 172.16.100.3

!

interface Port-channel1.16

vlan 16

nameif dmz

security-level 50

ip address 192.168.16.1 255.255.255.0 standby 192.168.16.2

On the switch, I created a trunk LACP capable with the port 1 and 2 on each switch, force the speed to 1000 and put the port un full duplex mode.

BUT this is not working... I tried many things and I can't make it work.

In this configuration, I can't ping anything between my ASA and my Switch (or any object connected). Here what I get on my ASA :

Channel group 1

LACP port Admin Oper Port Port

Port Flags State Priority Key Key Number State

-----------------------------------------------------------------------------

Gi0/2 SP not-bndl 32768 0x1 0x1 0x3 0xc

Gi0/1 FP not-bndl 32768 0x1 0x1 0x2 0x6

And on the Switchs :

PORT LACP TRUNK PORT LACP LACP

NUMB ENABLED GROUP STATUS PARTNER STATUS

----- ------- ----- ------ ------- ------

1 Active trk1 Broken Yes Failure

2 Active trk1 Broken Yes Failure

If I change the Cisco interface to LACP mode On, I can ping the switch from the ASA but nothing other objects conneted on the switch. If I look at the statut of LACP on the switch I see this :

PORT LACP TRUNK PORT LACP LACP

NUMB ENABLED GROUP STATUS PARTNER STATUS

----- ------- ----- ------ ------- ------

1 Active trk1 Up No Success

2 Active trk1 Up No Success

I don't have any clue on what's going on so If someone have any idea and help me on this, it would be great !

Feel free to ask me anything if you need any more information !

Thanks a lot !

Peter Paluch · ‎07-22-2013

Romain,

I am afraid this won't work. All physical links in an EtherChannel must be connected between the same pair of devices. In your case, this requirement is not met, so an EtherChannel can not be deployed successfully.

I do not actually see a need or a sensible use for EtherChannels in your network, though. What were you trying to accomplish?

Best regards,

Peter

romainamardeil · ‎07-22-2013

Hi Peter,

Thank you for helping me.

Basically, I would like to be able to "loose a switch" and be sure that the other switch can still work and contact the firewalls.

I would like to distribute all my Vlans through the trunk (and IP associated) and be sure that the primary ASA can be reached by the same IP on the two switch.

I'm trying to make something redundant.

Do you think it's possible ?

Have a nice day

Romain