Switch sees path through standby ASA5505 as preferred

chris · ‎02-22-2012

Hi,

I have two Cisco C2960 switches attached to each other using two ports configured as a port-channel. These are connected to two ASA5505's set up as active/standby. There are redundant connections between both switches and the firewalls. The firewalls are connected to another set of switches but by only a single link, one from one firewall to one of the switches and the other firewall to the other switch, please see the attached diagram.

There are two servers connected behind SWT03 and SWT04 which are on VLAN 47, and one server behind SWT01 and SWT02 on VLAN 47. As desired SWT01 is the root for all VLANs on it except for VLAN 47, for which SWT03 should be the root. SWT01 does see the root for VLAN 47 through the firewall it is connected to. FWL01(on top) is the primary and FWL02(on the bottom) is in standby mode, I know that the ASA5505's do not support STP but I also know that the ports on it can be used as switch ports which is why I think I am seeing the issue. The issue is that SWT02 sees its port connected to FWL02 as the best path to the root and has put the port-channel into a blocking state. Please see the config output:

SWT01#sh spanning-tree vlan 47

VLAN0047
Spanning tree enabled protocol rstp
Root ID    Priority    4143
             Address     0027.0cd8.3780
             Cost        19
             Port        1 (FastEthernet0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    24623 (priority 24576 sys-id-ext 47)
             Address     8cb6.4f78.7f00
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Root FWD 19        128.1    P2p
Fa0/6               Desg FWD 19        128.6    P2p Edge
Po1                 Desg FWD 12        128.56   P2p

SWT02#sh spanning-tree vlan 47

VLAN0047
Spanning tree enabled protocol rstp
Root ID    Priority    4143
             Address     0027.0cd8.3780
             Cost        22
             Port        1 (FastEthernet0/1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    28719 (priority 28672 sys-id-ext 47)
             Address     8cb6.4f55.f600
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300 sec

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Fa0/1               Root FWD 19        128.1    P2p
Fa0/6               Desg FWD 19        128.6    P2p Edge
Po1                 Altn BLK 12        128.56   P2p

FastEthernet0/1 on both switches is connected to it's respective firewall i.e. SWT01/01 is connected to FWL01 and SWT02/01 is connected to FWL02.

SWT02#sh spanning-tree blockedports

Name Blocked Interfaces List
-------------------- ------------------------------------
VLAN0047 Po1

Number of blocked ports (segments) in the system : 1

SWT02#sh run int port-channel 1
Building configuration...

Current configuration : 54 bytes
!
interface Port-channel1
switchport mode trunk

Does anyone know how I can correct this? Any help will be greatly appreciated.

Kind regards,

Chris

John Blakley · ‎02-22-2012

Just for clarification:

1. From swt02's perspective, is fa0/1 connected to top firewall or bottom?

2. Are you wanting swt02's root port for vlan 47 to go toward swt03?

Let's assume that swt02's f0/6 port is connected to the top firewall. F0/1 is showing to be the root port. You can just increase the cost to something abnormal on fa0/1 to get fa0/6 to be the root port. The port channel is blocking because the other side of the port channel on swt01 is the designated port for that segment. All of this is based off of cost too. If swt02 through the port channel's cost to get to the root is say (PO1 = 12, fa0/1 = 19, ASA's perspective to get to swt03 assuming 19: total 50 vs fa0/1 on swt02 cost of 19 to the asa's perspective of say 19: Total 38.)

Am I even on the right track?

HTH, John *** Please rate all useful posts ***

chris · ‎03-05-2012

Hi,

1. It is connected to the bottom firewall.

2. Yes, SWT03 needs to stay the root bridge. I want 'normal' behaviour from the firewalls, so, as FWL02 is the standby (I have checked), the switches should always see the root ports pointing towards the active firewall.

I hear what you are saying about increasing the path cost, but this behaviour is clearly not normal so I was hoping to correct the issue without having to alter it. If I do alter the path cost then I have the chance of FWL01 still being the root port for the switches even if the firewalls when they fail over, which will just swap the issue around.

Thanks,

Chris

Vivek Ganapathi · ‎02-22-2012

Hello Chris,

Based on your diagram, you have a fully-meshed connectivity between SWT01, SWT02, FLW01 & FLW02. But based on your outputs of spanning-tree, i am not seeing those interfaces in there. Were the outputs omitted? Please provide me those as well.

Is it possible for you to provide me the ASA interface configs + failover configs? Also, do you see the firewalls to be really in Active-Standby as desired? basically this issue could happen when ASA feels each other as ACTIVE-ACTIVE because of a failed heart-beat.

Thanks

Vivek

chris · ‎03-09-2012

Hi Vivek,

Sorry about the delay on this answer but here is all the information I am sure you will need:

SWT01#

interface FastEthernet0/1
description FWL01A/01
switchport trunk allowed vlan 30,40,47,48
switchport mode trunk
speed 100
duplex full

interface FastEthernet0/7
description FWL01A/03 - FAILOVER
switchport access vlan 99
switchport mode access
speed 100
duplex full
spanning-tree portfast

SWT02#

interface FastEthernet0/1
description FWL01B/01
switchport trunk allowed vlan 30,40,47,48
switchport mode trunk
speed 100
duplex full

interface FastEthernet0/7
description FWL01B/03 - FAILOVER
switchport access vlan 99
switchport mode access
speed 100
duplex full
spanning-tree portfast

FWL01#

interface Vlan47
nameif MONE-TRU01
security-level 70
ip address 192.168.47.1 255.255.255.192 standby 192.168.47.2

interface Ethernet0/1
description SWT01/01
switchport trunk allowed vlan 30,40,47-48
switchport mode trunk
speed 100
duplex full

interface Ethernet0/6
description SWT03/07
switchport trunk allowed vlan 47-48,308
switchport mode trunk
speed 100
duplex full

        This host: Primary - Active
                Active time: 1998585 (sec)
                slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
                  Interface outside (10.19.48.83): Normal
                  Interface DMZ-2 (192.168.30.1): Normal
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5505 hw/sw rev (1.0/8.0(4)) status (Up Sys)
                  Interface outside (10.19.48.84): Normal
                  Interface DMZ-2 (192.168.30.2): Normal

SWT03#

interface GigabitEthernet0/1
description SWT04/G01
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on

interface GigabitEthernet0/2
description SWT04/G02
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on

interface GigabitEthernet0/27
description FWL01/06
switchport trunk allowed vlan 47,48,308
switchport mode trunk
speed 100
duplex full

SWT03#sh spanning-tree vlan 47

VLAN0047
Spanning tree enabled protocol rstp
Root ID    Priority    4143
             Address     0027.0cd8.3780
             This bridge is the root
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    4143   (priority 4096 sys-id-ext 47)
             Address     0027.0cd8.3780
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/6               Desg FWD 4         128.6    P2p
Gi0/21              Desg FWD 19        128.21   P2p
Gi0/22              Desg FWD 19        128.22   P2p
Gi0/27              Desg FWD 19        128.27   P2p
Po1                 Desg FWD 3         128.56   P2p
Po2                 Desg FWD 3         128.64   P2p

SWT04#

interface GigabitEthernet0/1
description SWT03/G01
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on

interface GigabitEthernet0/2
description SWT03/G02
switchport trunk allowed vlan 1-57,59-4094
switchport mode trunk
speed 1000
duplex full
channel-group 1 mode on

interface GigabitEthernet0/27
description FWL01B/06
switchport trunk allowed vlan 47,48,308
switchport mode trunk
speed 100
duplex full

SWT04#sh spanning-tree vlan 47

VLAN0047
Spanning tree enabled protocol rstp
Root ID    Priority    4143
             Address     0027.0cd8.3780
             Cost        3
             Port        56 (Port-channel1)
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority    28719 (priority 28672 sys-id-ext 47)
             Address     0027.0ce0.8f00
             Hello Time   2 sec Max Age 20 sec Forward Delay 15 sec
             Aging Time 300

Interface           Role Sts Cost      Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Gi0/5               Desg FWD 4         128.5    P2p
Gi0/21              Desg FWD 19        128.21   P2p
Gi0/22              Desg FWD 19        128.22   P2p
Gi0/27              Desg FWD 19        128.27   P2p
Po1                 Root FWD 3         128.56   P2p
Po2                 Desg FWD 3         128.64   P2p

I have also included a new image, sorry, when I revisted it I realized it was wrong, please note the failover VLAN is the only one allowed through the failover cable:

Thanks in advance,

Chris