Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface

Hi All,

I am having problem when configure port channel on asa5550 

IOS ver asa914-k8.bin also in ver 9.02   and 8.47.

Please let me know how can I solve this problem.

UK-LON-FW(config)# int port-channel 3

UK-LON-FW(config-if)# vlan 245

                       ^

ERROR: % Invalid input detected at '^' marker.

UK-LON-FW(config-if)# nameif secure

ERROR: nameif not allowed on empty etherchannel interface.

UK-LON-FW(config-if)#

here is my interfaces configuration:

!

interface GigabitEthernet0/0

description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/1

description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone

channel-group 1 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/2

description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz

channel-group 2 mode on

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/3

description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz

channel-group 2 mode on

no nameif   

no security-level

no ip address

!

interface Management0/0

management-only

nameif management

security-level 0

ip address 10.10.51.18 255.255.254.0

!

interface GigabitEthernet1/0

description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/1

description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/2

description LAN Failover Interface

no nameif   

no security-level

no ip address

!

interface GigabitEthernet1/3

description STATE Failover Interface

no nameif

no security-level

no ip address

!

interface Port-channel1

description outside zone

no nameif

no security-level

no ip address

!

interface Port-channel1.5

description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8

vlan 5

nameif outside

security-level 0

ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6

!

interface Port-channel2

description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2

no nameif

no security-level

no ip address

!

interface Port-channel2.105

description dmz

vlan 105

nameif dmz

security-level 50

ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194

!

interface Port-channel3

description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4

no nameif

security-level 100

ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2

UK-LON-FW(config-if)# 

3 REPLIES
Hall of Fame Super Silver

Re: ASA5550 port channel configuration ERROR: nameif not allowed

Your logical interface port-channel 3 has no physical members assigned to it. Assign some (i.e one or more physical ports should have "channel-group 3" command).

Also, you would normally assign a VLAN to a subinterface on this size of firewall - not to the port-channel parent.

New Member

ASA5550 port channel configuration ERROR: nameif not allowed on

Hi Marvin,

Thank you for your answer.  I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right.  Verson 9.x  doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).

https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr 

Also, you can see the 8.4 release notes were you can see that it is not supported:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232

Interface Features

EtherChannel support (ASA 5510 and higher)

You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.

Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.

We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

Hall of Fame Super Silver

ASA5550 port channel configuration ERROR: nameif not allowed on

Thanks for updating us on the root cause of the problem.

I had overlooked the two portchannel limitation. That's a good one to remember.

642
Views
5
Helpful
3
Replies
CreatePlease login to create content