07-08-2013 10:30 AM - edited 03-11-2019 07:08 PM
Hi
Recently , we have added ASA-ic-6ge-cu-c. To our ASA 5545x , I'm trying to configure a port channel between the ASA and 6500 VSS , from the ASA side , I used two ports from the new expansion module ( G1/0) & (G1/1) and from VSS side ( G1/3/9) & ( G2/3/9) , .
The problem I'm facing is that from the ASA side port G1/1 could not join the etherchannel , it always goes to suspended state , I figured out the reason , it is due incompatible speed between g1/0 and g1/1 , g1/0 is auto , while g1/1 is 1000 Mbps , although the ports are still in default configuration , I'm seeing this problem .
I tried to fix the speed on both ports , when I join them to portchannel , again g1/1 still auto , g1/1 is 1000Mbps !!!
I also tried to make them both auto , still the same , then I tried to use another port instead of g1/0 , i used g1/3 with g1/1 , again same problem , port 1/3 goes into suspended state for the same reason ( speed mismatch)
Am I hitting a bug with this expansion module ? My ASA version is 8.6
Any ideas !!
Note: I'm using mode ON on the channel group , on both ASA and VSS , the ports are trunk on VSS with same allowed vlans
Sent from Cisco Technical Support iPad App
Solved! Go to Solution.
07-08-2013 04:10 PM
I'll assume you're following the configuration guide section for configuring an Etherchannel here. If you haven't please refer to it.
There is a bug, CSCuc66227, specific to ASA software 8.6(1.4) that causes Etherchannel interfaces creation to fail when using the expansion module. Its failure mode doesn't match what you're seeing, but it could be relevant. The expansion module does support its ports being Etherchannel members, even when joining base unit interfaces (that last bit is new on the X series).
I'd see if you can upgrade to 9.0(2) which is the latest release (for non-CX ASA) and has a whole long list of bug fixes along with some new features.
07-08-2013 10:52 AM
Hi,
I am not sure what the deal is with the new ASA5500-X series I/O expansion modules but in the original ASA 5500 Series the extra 4 port module COULD NOT be used in a Etherchannel
Quote:
Guidelines and Limitations
•You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
Source:
Not sure about the new modules. Though I think I remember them saying at Cisco Live 2013 London that the module was not supported to be used as a part of Etherchannel.
If I am not completely mistaken the old ASA model had some internal Gigabit interface between the module and the rest of the ASA. Perhaps that one reason. Not really sure.
- Jouni
07-08-2013 10:55 AM
Ah,
Seems it should be supported on the new models
Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards
Cisco ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the I/O profile of the ASA 5525-X through ASA 5555-X by providing additional GE ports. The cards provide the following benefits:• Load sharing of traffic as well as protection against link failure by using EtherChannel
- Jouni
07-08-2013 11:30 AM
Thanks Jouni , I knew about the old module , and could not find anywhere about the new module etherchannel support , as you said , it should support as the channel-group command is accepted under the module ports .
The problem I'm facing is related to port speed configuration when the port join a port-channel . If ports are not in port channel , It shows a correct speed state as I configure it , if auto it shows auto , if 1000 Mbps it shows 1000 Mbps under show interface ... Once I configure the port channel group under two of the interfaces , the speed state change to auto on one of them ( usually the first one join the group ) while the second shows ( 1000 Mbps) under show interface !,,,and this cause the incompatibility issue and cause the second port to go into suspended state !!!
I hope to find some hints before I open a TAC ..
Ali
Sent from Cisco Technical Support iPad App
07-08-2013 04:10 PM
I'll assume you're following the configuration guide section for configuring an Etherchannel here. If you haven't please refer to it.
There is a bug, CSCuc66227, specific to ASA software 8.6(1.4) that causes Etherchannel interfaces creation to fail when using the expansion module. Its failure mode doesn't match what you're seeing, but it could be relevant. The expansion module does support its ports being Etherchannel members, even when joining base unit interfaces (that last bit is new on the X series).
I'd see if you can upgrade to 9.0(2) which is the latest release (for non-CX ASA) and has a whole long list of bug fixes along with some new features.
07-08-2013 11:46 PM
Hi Marvin,
Thanks for pointing to this bug , it make sense , I will plan for the upgrade to 9.0(2) . Do I have to worry about the configuration when I upgrade from 8.6 to 9.0 ? I have not used the 9.0 yet . I have a firewall pair in Mutiple context mode (ACTIVE/ACTIVE) , My firewall has no NAT or VPN configuration , only redundant interfaces , port-channels , and ACLs.
Ali
07-09-2013 06:05 AM
You're welcome.
A zero downtime upgrade for an active-active pair is supported. Since the IPv4 / v6 ACL syntax was updated, downgrade is not supported so have a backup handy before proceeding. Otherwise, you can just follow the procedure in the release notes.
12-16-2013 04:42 AM
Hi Ali,
I know this post is a few months old, and is answered, am just wondering how you got on with your upgrade?
I was running etherchannel fine on 4GE SSM in slot 1 of ASA, using version 8.4(4). I upgraded this morning to version 9.1(2) and etherchannel functionality no longer available on this module... wondering if you experienced same issue... thanks,
Gill
12-16-2013 05:29 AM
Hi Gillian,
I upgraded to Version 9.0(2) , and the etherchannel works fine
interface GigabitEthernet1/0
duplex full
channel-group 1 mode on
!
interface GigabitEthernet1/1
duplex full
channel-group 1 mode on
!
interface Port-channel1
which ASA do you have ? mine was ASA5545X
Ali
12-16-2013 06:00 AM
Hi Ali,
Thanks a mil for getting back to me.... it must be a limitation on the ASA5550.... I will open a case with TAC. Thanks again!
Gillian
12-16-2013 06:39 AM
Hi,
Look at the first reply of this discussion.
It mentions the fact that the original ASA5500 Series doesnt support the use of the expansion module in Etherchannel configurations.
- Jouni
12-16-2013 06:47 AM
Hi Jouni,
Thanks a mil for your response, yes I saw the original reply, but I don't understand why etherchannel was supported on ASA5500 running older software, 8.4(4), and not on newer version 9.1(2)..... :-(
Gillian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: