ASA 5585x Active/Standby - Port-Channel - Standby ports not in the bundle.
I have two ASA5585x ASA in basic Active/Standby configuration in multiple context mode. The failover is configured and working, the ports appear in the ASA port-channel bundle. However on the single switch (testing) they are both connected to the standby ports are not part of the bundle but correctly configured. The standby asa connected ports on the switch are orange. Spanning tree is disabled for the vlans.
Failover from active to standby is ok.
I cant issue "failover active" on the primary asa as the switch ports its connected to are orange/not part of the bundle it fails and goes back to standby.
If I pull the active/secondary units cables the primary unit becomes active now and the switch ports its connected to go green.
The question is I guess, why are the switch port, that the standby asa connects to in 'stand-alone' mode?
! interface GigabitEthernet0/0 description # Channel Group 10 to Nexus # channel-group 10 mode active ! interface GigabitEthernet0/1 description # Channel Group 10 to Nexus # channel-group 10 mode active
interface Port-channel10 description - Port Channel to Nexus ! interface Port-channel10.2 description Management / Inside interface to Corp vlan 2 ! interface Port-channel10.4 description DINGDONG Interface vlan 4 !
show port-channel 10 Span-cluster port-channel: No Ports: 6 Maxports = 16 Port-channels: 1 Max Port-channels = 48 Protocol: LACP/ active Minimum Links: 1 Maximum Bundle: 8 Load balance: src-dst-ip
show int port-channel 10 Interface Port-channel10 "", is up, line protocol is up Hardware is EtherChannel/LACP, BW 200 Mbps, DLY 10 usec Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps) Input flow control is unsupported, output flow control is off Description: - Port Channel to Nexus (not really its a single 2960 switch) Available for allocation to a context MAC address 3c08.f6a9.3586, MTU not set IP address unassigned Members in this channel: Active: Gi0/1 Gi0/0 Inactive: Gi0/4 Gi0/3 Gi0/2 Gi0/5
! interface Port-channel10 description * port ch 10 for Cust apps to firewall. * switchport trunk encapsulation dot1q switchport mode trunk
Port-channels in the group: ---------------------------
Port-channel: Po10 (Primary Aggregator)
Age of the Port-channel = 0d:05h:41m:20s Logical slot/port = 1/1 Number of ports = 2 HotStandBy port = null Port state = Port-channel Ag-Inuse Protocol = LACP
Ports in the Port-channel:
Index Load Port EC state No of bits ------+------+------+------------------+----------- 0 00 Fa0/22 Active 0 0 00 Fa0/24 Active 0
Time since last port bundled: 0d:01h:01m:30s Fa0/24 Time since last port Un-bundled: 0d:01h:01m:44s Fa0/21
CS-Switch#show etherchannel 10 summary Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 u - unsuitable for bundling U - in use f - failed to allocate aggregator d - default port
Number of channel-groups in use: 1 Number of aggregators: 1
Little late on this answer but others may find this helpful.
Port channels on ASAs in a Active/Standby configuration have two different system IDs that are presented to the device that the etherchannel is being formed with. To account for this on the switch side the interfaces need to be in two separate port channels like the following
Firewall A Portchannel 10 -> Switch A on PortChannel 10
Firewall B Portchannel 10 -> Switch A on PortChannel 20
The firewall does not act in the same manner as a VPC from a Nexus switch where the system id in the port channel is the same for both devices. Configuring it as above it should result in both ports being bundled on both firewalls and the switch side.
We are pleased to announce availability of Beta software for 16.6.3.
16.6.3 will be the second rebuild on the 16.6 release train targeted
towards Catalyst 9500/9400/9300/3850/3650 switching platforms. We are
looking for early feedback from customers befor...
Introduction Featured Speakers Luis Espejel is the Telecommunications
Manager of IENova, an Oil & Gas company. Currently he works with Cisco
IOS® and Cisco IOS XE platforms, and NX to some extent. He has also
worked as a Senior Engineer with the Routing P...
In this session you can learn more about Layer 3 multicast and the best
practices to identify possible threats and take security measures. It
provides an overview of basic multicast, the best security practices for
use of this technology, and recommendati...