Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2331
Views
0
Helpful
4
Replies

VSS and Etherchannel

Go to solution
Cobhamuser1
Level 1
Level 1

‎10-24-2016 05:49 AM - edited ‎03-08-2019 07:53 AM

Can someone advise me please

I am seeing some odd behaviour and want to ensure my setup is not the issue

6509 VSS pair

both connected to x2 firewalls in active/passive

I have an aggregatedlink/portchannel between each firewall and the VSS

Firewall A

Portchannel goes to switch 1/1/1 and switch 2/1/1

Firewall B

Portchannel goes to switch 1/1/2 and switch 2/1/2

4500x VSS pair

I have a similar setup between the switches and firewalls

I recently had a VSS member crash and another reboot, which seemed to cause no end of problems

Should I be configuring my portchannels as follows, so that they terminate on the same chassis?

Firewall A

Portchannel goes to switch 1/1/1 and switch 1/1/2

Firewall B

Portchannel goes to switch 2/1/1 and switch 2/1/2

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Cobhamuser1

‎10-24-2016 07:23 AM

Hi

when you originally set these up did you test your failover setup to see if it worked fully by dropping pos and interfaces to see what the effect was with traffic incase of an issue ?

you can definitely split across VSS as the question has popped up before in the forum  couple of times

https://supportforums.cisco.com/discussion/10812736/vss-deployement

as well doc confirms it and the guidelines you must follow for it to work correctly maybe worth reading through  , I would confirm your set is same as the docs and re-test in a scheduled window and see what results you get if the recent issues were to know problems , first thing I would want to know if it was my setup is does it work when its manually triggered rather than waiting for the problem to arise again

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html

Connecting to an EtherChannel on Another Device

The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch.

When the switch is part of a Virtual Switching System (VSS), then you can connect ASA interfaces within the same EtherChannel to separate switches in the VSS. The switch interfaces are members of the same EtherChannel port-channel interface, because the separate switches act like a single switch (see Figure 12-1).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Mark Malone
VIP Alumni
VIP Alumni

‎10-24-2016 06:00 AM

Hi No that' should be fine splitting across the chassis its what's expected its VSS , was it the 4500 side that failed ? there are some buggy images on those 4500-x series , the 6509 is usually stable

whats the odd behaviour are you still seeing it even after everything reset and came back up , did you find the root cause of the crashes ? is there still alerts generating on logs

0 Helpful

Go to solution
Cobhamuser1
Level 1
Level 1
In response to Mark Malone

‎10-24-2016 06:16 AM

Thanks for coming back to me

I am running Version 03.07.02.E on the 4500x

Most of the time I have had issues has been down to "known problems"

I wanted to be sure that the EC setup wasn't an underlying cause

I had a 6509 crash and lost one side of the VSS pair

An upstream firewall could no longer route traffic

I flipped the firewall to the secondary and everything was fine

0 Helpful

Go to solution
Mark Malone
VIP Alumni
VIP Alumni
In response to Cobhamuser1

‎10-24-2016 07:23 AM

Hi

when you originally set these up did you test your failover setup to see if it worked fully by dropping pos and interfaces to see what the effect was with traffic incase of an issue ?

you can definitely split across VSS as the question has popped up before in the forum  couple of times

https://supportforums.cisco.com/discussion/10812736/vss-deployement

as well doc confirms it and the guidelines you must follow for it to work correctly maybe worth reading through  , I would confirm your set is same as the docs and re-test in a scheduled window and see what results you get if the recent issues were to know problems , first thing I would want to know if it was my setup is does it work when its manually triggered rather than waiting for the problem to arise again

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html

Connecting to an EtherChannel on Another Device

The device to which you connect the ASA EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch.

When the switch is part of a Virtual Switching System (VSS), then you can connect ASA interfaces within the same EtherChannel to separate switches in the VSS. The switch interfaces are members of the same EtherChannel port-channel interface, because the separate switches act like a single switch (see Figure 12-1).

0 Helpful

Go to solution
Cobhamuser1
Level 1
Level 1
In response to Mark Malone

‎10-26-2016 04:01 AM

A change in the firewall code resulted in an operational change with the 4500x

Either way, the information you provided was very useful

0 Helpful
Customers Also Viewed These Support Documents