Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA failover with N7k and vPC

Hi guys,

I'm connecting an ASAs as Active/standby failover to nexus 7000.

Please find the attached network diagram to understand the setup.

- No direct cable between the two ASAs.

- Failover link is done by connecting g0/3 to N7k1 and N7K2 (as the diagram).

- vPC peer-link is there between the two N7k.

- Using this setup, Failover is working fine. (Failover vlans are passing through vPC peer-link)

- As the recommendation, i understood that it is not recommended to use the vPC peer-link to pass the failover vlans (in our case vlan 5 and 6).

Is it true?

+ And based on this recommendation:
 - I removed vlans 5 and 6 from the vPC peer-link.
 - I created new link between the two N7ks "trunk" and allowed only vlans 5 & 6.

After doing this step, failover keep failing and both ASAs are not detecting each others.

Any idea how to solve this issue?

 

Regards

Everyone's tags (1)
12 REPLIES
Hall of Fame Super Silver

Can you share the running

Can you share the running-config and status for the Nexus trunk interfaces (to each other and to the ASAs)?

i.e.,

show run int Eth__/__

show int Eth __/__ 

New Member

Hi Marvin,I will collect show

Hi Marvin,

I will collect show interface and send it, but now i have the following "show-run interfaces":

N7K-1:

interface Ethernet3/19
  description ### ASA Failover , connected to N7k-2 ###
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 5,6
  speed 1000
  no shutdown

N7K-2:

interface Ethernet3/19
  description ### ASA Failover , connected to N7k-1 ###
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 5,6
  speed 1000
  no shutdown

ASAs:

interface Ethernet3/5
  description ### Connected to ASA-1 ###
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 5,6
  speed 1000

interface Ethernet3/5
  description ### Connected to ASA-2 ###
  switchport
  switchport mode trunk
  switchport trunk allowed vlan 5,6
  speed 1000
  no shutdown

 

 

Regards

Hall of Fame Super Silver

Those are pretty

Those are pretty straightforward and one would expect them to work. Perhaps the information from the interfaces showing their current status will shed some light.

New Member

Thanks for your reply.As i

Thanks for your reply.

As i remember all ports were up, anyhow, i will collect and share them.

Regards.

 

 

New Member

Hi Marvin,Attached you can

Hi Marvin,

Attached you can find the show interfaces output.

Regards,

Rami

Hall of Fame Super Silver

Hmm those look OK.Can you

Hmm those look OK.

Can you "show spanning-tree vlan 5" ( and 6)? on the Nexus's?

New Member

Hi Marvin.I attached show

Hi Marvin.

I attached show spanning-tree output.

Regards

Hall of Fame Super Silver

For some reason both N7k-1

For some reason both N7k-1 and N7k-2 are reporting they are root - as i f they still thought those VLANs were connected via vPC. Did you clear VLANs 5 and 6 from the the peer link?

If you look at N7k-2 it is blocking on Eth3/19 (the connection to N7k-1). That will keep the ASAs from seeing each other via that connection.

You might want to refer to this troubleshooting spanning-tree document for NX-OS.

New Member

Hi Marvin,Yes i removed those

Hi Marvin,

Yes i removed those two vlans from the vPC peer link by removing them from the allowed vlans.

Regards

Hall of Fame Super Silver

I'd engage the TAC to have a

I'd engage the TAC to have a look at your spanning-tree setup in real time. It would probably resolve your issue more quickly to open a Service Request from CSC. There should be a link in the top right of your view with instruction on doing that.

New Member

Hi Marvin,Thanks for your

Hi Marvin,

Thanks for your reply.

- If i have an issue with spanning tree, why do you think it is working fine over vPV peer link?

- Both switches are active because we configured peer switch under vPC, and in this case both spanning tree priority should be same.

Regards,

 

Hall of Fame Super Silver

I suspected you had setup

I suspected you had setup peer switch. When you have a VPC, the NX-OS uses a  virtual bridge-ID designed to work with VPC and spanning tree isn't an issue. When you are running hybrid mode (see this link) Cisco recommends you set "spanning-tree pseudo information".

I've not done that myself which is why I defer to to and recommend engaging the TAC as I'd not want you to have unforeseen consequences with your 7k core as a result of something I had recommended.

831
Views
0
Helpful
12
Replies