cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1754
Views
5
Helpful
12
Replies

Port-channel on ASA

The pings do not go through the Port-channel. VLANs are configured. Without the Port-channel, the ping passes correctly. Devices are directly connected.

ASA config:
interface GigabitEthernet1/3
 channel-group 1 mode active
!
interface Port-channel10.1
 vlan 987
 nameif TEST
 security-level 100
 ip address 192.168.0.10 255.255.255.0

Switch config:
interface Port-channel1
 switchport access vlan 987
 switchport mode access
!
interface FastEthernet0/3
 description to ASA-PO
 switchport access vlan 987
 switchport mode access
 channel-group 1 mode active

=================================== SHOW OUTPUT ========================================

ASA# show lacp neighbor
krzysztofmaciejewskiit_0-1725195354020.png

ASA# show port-channel summary
krzysztofmaciejewskiit_1-1725195384590.png

Switch:

krzysztofmaciejewskiit_2-1725195537297.png

1 Accepted Solution

Accepted Solutions

interface Port-channel1
 switchport trunk native vlan 987 <<- remove this 

Switchport trunk allow vlan 987 <<- add this 
 switchport mode trunk 
!
interface FastEthernet0/3
 description to ASA-PO
 switchport trunk native vlan 987 <<- remove this 
 switchport mode trunk

Switchport trunk allow vlan 987 <<- add this 
 channel-group 1 mode active

View solution in original post

12 Replies 12

Mark Elsen
Hall of Fame
Hall of Fame

 

        - Can other traffic go through the port-channel ?
        - What error do you get for the pings ?

 M.



-- Let everything happen to you  
       Beauty and terror
      Just keep going    
       No feeling is final
Reiner Maria Rilke (1899)

ASA# ping TEST 192.168.0.11
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.11, timeout is 2 seconds:
?????

PO-TEST#ping
Protocol [ip]:
Target IP address: 192.168.0.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 192.168.0.11
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.0.10, timeout is 2 seconds:
Packet sent with a source address of 192.168.0.11
.....
Success rate is 0 percent (0/5)

First check vlan in SW 

Second since you use subinterface then the traffic is tag and hence you can not use PO access mode in SW 

You need to change of PO from access to trunk and allow vlan in trunk 

MHM

I made the changes on the Switch. There is still a problem. I'm running debug on Switch and when I ping from ASA specifying source zone:
*Mar 3 00:30:55.897: ICMP: echo reply sent, src 192.168.0.11, dst 192.168.0.10, topology BASE, dscp 0 topoid 0

VLAN:
krzysztofmaciejewskiit_0-1725196902656.png   krzysztofmaciejewskiit_1-1725196926437.png

interface Port-channel1
 switchport trunk native vlan 987
 switchport mode trunk 
!
interface FastEthernet0/3
 description to ASA-PO
 switchport trunk native vlan 987
 switchport mode trunk
 channel-group 1 mode active

interface Port-channel1
 switchport trunk native vlan 987 <<- remove this 

Switchport trunk allow vlan 987 <<- add this 
 switchport mode trunk 
!
interface FastEthernet0/3
 description to ASA-PO
 switchport trunk native vlan 987 <<- remove this 
 switchport mode trunk

Switchport trunk allow vlan 987 <<- add this 
 channel-group 1 mode active

It works, but doesn't the “switchport mode trunk” command pass all VLANs? Great to know that I have to do it this way, but now I'm a little confused.

What point confuse you?

MHM

I thought the “switchport mode trunk” command allowed all VLANs by default. I'm curious, why do we have to explicitly type “switchport trunk allow vlan 987”?
I even added the “switchport trunk allow vlan all” command before you said to add the “switchport trunk allow vlan 987” directly and it didn't work.

Ok' this not effect config  what is effect config is 

 switchport trunk native vlan 987 <<- remove this 

You are correct 

Switchport mode trunk <<- allow all vlan' but I suggest 

switchport trunk allow vlan 987 <<- only to allow one vlan in this trunk' since you use one subinterface in asa.

MHM

You are right, “switchport trunk native vlan 987” was the problem. As for allowing one VLAN, I realize that we should only let go of the required VLANs, but I'm in a lab environment, so I took a shortcut
That is, the problem first turned out to be “switchport mode access” and then “switchport trunk native vlan 987”, because ASA was expecting tagged traffic and I was sending untagged traffic. Am I right?

Totally right friend

MHM

This is not the first time you have helped me and then explained. Thank you.