cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1513
Views
0
Helpful
11
Replies

AS 5545X etherchannel on expansion module

Ali Koussan
Level 1
Level 1

Hi

Recently , we have added ASA-ic-6ge-cu-c. To our ASA 5545x , I'm trying to configure a port channel between the ASA and 6500 VSS , from the ASA side , I used two ports from the new expansion module ( G1/0) & (G1/1) and from VSS side ( G1/3/9) & ( G2/3/9) , .

The problem I'm facing is that from the ASA side port G1/1 could not join the etherchannel , it always goes to suspended state , I figured out the reason , it is due incompatible speed between g1/0 and g1/1 , g1/0 is auto , while g1/1 is 1000 Mbps , although the ports are still in default configuration , I'm seeing this problem .

I tried to fix the speed on both ports , when I join them to portchannel , again g1/1 still auto , g1/1 is 1000Mbps !!!

I also tried to make them both auto , still the same , then I tried to use another port instead of g1/0 , i used g1/3 with g1/1 , again same problem , port 1/3 goes into suspended state for the same reason ( speed mismatch)

Am I hitting a bug with this expansion module ? My ASA version is 8.6


Any ideas !!

Note: I'm using mode ON on the channel group , on both ASA and VSS , the ports are trunk on VSS with same allowed vlans

Sent from Cisco Technical Support iPad App

1 Accepted Solution

Accepted Solutions

I'll assume you're following the configuration guide section for configuring an Etherchannel here. If you haven't please refer to it.

There is a bug, CSCuc66227, specific to ASA software 8.6(1.4) that causes Etherchannel interfaces creation to fail when using the expansion module. Its failure mode doesn't match what you're seeing, but it could be relevant. The expansion module does support its ports being Etherchannel members, even when joining base unit interfaces (that last bit is new on the X series).

I'd see if you can upgrade to 9.0(2) which is the latest release (for non-CX ASA) and has a whole long list of bug fixes along with some new features.

View solution in original post

11 Replies 11

Jouni Forss
VIP Alumni
VIP Alumni

Hi,

I am not sure what the deal is with the new ASA5500-X series I/O expansion modules but in the original ASA 5500 Series the extra 4 port module COULD NOT be used in a Etherchannel

Quote:

Guidelines and Limitations

You  cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM  in slot 1 on the ASA 5550, as part of an EtherChannel.

Source:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1343917

Not sure about the new modules. Though I think I remember them saying at Cisco Live 2013 London that the module was not supported to be used as a part of Etherchannel.

If I am not completely mistaken the old ASA model had some internal Gigabit interface between the module and the rest of the ASA. Perhaps that one reason. Not really sure.

- Jouni

Ah,

Seems it should be supported on the new models

Cisco ASA 5500-X Series 6-Port Gigabit Ethernet Interface Cards

Cisco  ASA 5500-X Series 6-port Gigabit Ethernet Interface Cards extend the  I/O profile of the ASA 5525-X through ASA 5555-X by providing additional  GE ports. The cards provide the following benefits:

• Load sharing of traffic as well as protection against link failure by using EtherChannel

- Jouni

Thanks Jouni , I knew about the old module , and could not find anywhere about the new module etherchannel support , as you said , it should support as the channel-group command is accepted under the module ports .

The problem I'm facing is related to port speed configuration when the port join a port-channel . If ports are not in port channel , It shows a correct speed state as I configure it , if auto it shows auto , if 1000 Mbps it shows 1000 Mbps under show interface ... Once I configure the port channel group under two of the interfaces , the speed state change to auto on one of them ( usually the first one join the group ) while the second shows ( 1000 Mbps) under show interface !,,,and this cause the incompatibility issue and cause the second port to go into suspended state !!!

I hope to find some hints before I open a TAC ..

Ali


Sent from Cisco Technical Support iPad App

I'll assume you're following the configuration guide section for configuring an Etherchannel here. If you haven't please refer to it.

There is a bug, CSCuc66227, specific to ASA software 8.6(1.4) that causes Etherchannel interfaces creation to fail when using the expansion module. Its failure mode doesn't match what you're seeing, but it could be relevant. The expansion module does support its ports being Etherchannel members, even when joining base unit interfaces (that last bit is new on the X series).

I'd see if you can upgrade to 9.0(2) which is the latest release (for non-CX ASA) and has a whole long list of bug fixes along with some new features.

Hi Marvin,

Thanks for pointing to this bug , it make sense , I will plan for the upgrade to 9.0(2) . Do I have to worry about the configuration when I upgrade from 8.6 to 9.0 ? I have not used the 9.0 yet . I have a firewall pair in Mutiple context mode (ACTIVE/ACTIVE) , My firewall has no NAT or VPN configuration , only redundant interfaces , port-channels , and ACLs.

Ali

You're welcome.

A zero downtime upgrade for an active-active pair is supported. Since the IPv4 / v6 ACL syntax was updated, downgrade is not supported so have a backup handy before proceeding. Otherwise, you can just follow the procedure in the release notes.

Hi Ali,

I know this post is a few months old, and is answered, am just wondering how you got on with your upgrade?

I was running etherchannel fine on 4GE SSM in slot 1 of ASA, using version 8.4(4). I upgraded this morning to version 9.1(2) and etherchannel functionality no longer available on this module... wondering if you experienced same issue... thanks,

Gill

Hi Gillian,

I upgraded to Version 9.0(2) , and the etherchannel works fine

interface GigabitEthernet1/0

duplex full

channel-group 1 mode on

!

interface GigabitEthernet1/1

duplex full

channel-group 1 mode on

!

interface Port-channel1

which ASA do you have ? mine was ASA5545X

Ali


Hi Ali,

Thanks a mil for getting back to me.... it must be a limitation on the ASA5550.... I will open a case with TAC.  Thanks again!

Gillian

Hi,

Look at the first reply of this discussion.

It mentions the fact that the original ASA5500 Series doesnt support the use of the expansion module in Etherchannel configurations.

- Jouni

Hi Jouni,

Thanks a mil for your response, yes I saw the original reply, but I don't understand why etherchannel was supported on ASA5500 running older software, 8.4(4), and not on newer version 9.1(2)..... :-(

Gillian

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: