1

I've two ASAs 5515 connected in failover Active/Stand by (on Gi0/5)

My two ASAs are connected to two Switch ProCurve 2920 to have HA if something happens. So I plug something like that (don't pay attention to the arrows) :

diagram

So one the ASA, I created a Port-Channel like that :

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 192.168.1.3 255.255.255.0 standby 192.168.1.4
!
interface GigabitEthernet0/1
speed 1000
duplex full
channel-group 1 mode passive
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
speed 1000
duplex full
channel-group 1 mode passive
no nameif
no security-level
no ip address
!
interface Port-channel1.1
vlan 1
nameif inside
security-level 100
ip address 192.168.8.1 255.255.255.0 standby 192.168.8.2
!
interface Port-channel1.10
vlan 10
nameif guest
security-level 50
ip address 172.16.100.2 255.255.255.224 standby 172.16.100.3
!
interface Port-channel1.16
vlan 16
nameif dmz
security-level 50
ip address 192.168.16.1 255.255.255.0 standby 192.168.16.2

On the switch, I created a trunk LACP capable with the port 1 and 2 on each switch, force the speed to 1000 and put the port un full duplex mode.

BUT this is not working... I tried many things and I can't make it work.

In this configuration, I can't ping anything between my ASA and my Switch (or any object connected). Here what I get on my ASA :

Channel group 1
                             LACP port     Admin     Oper    Port        Port
Port      Flags   State      Priority      Key       Key     Number      State
-----------------------------------------------------------------------------
Gi0/2     SP      not-bndl   32768         0x1       0x1     0x3         0xc  
Gi0/1     FP      not-bndl   32768         0x1       0x1     0x2         0x6

And on the Switchs :

PORT   LACP      TRUNK   PORT     LACP      LACP
NUMB   ENABLED   GROUP   STATUS   PARTNER   STATUS
-----  -------   -----   ------   -------   ------
1      Active    trk1    Broken   Yes       Failure
2      Active    trk1    Broken   Yes       Failure

If I change the Cisco interface to LACP mode On, I can ping the switch from the ASA but nothing other objects conneted on the switch. If I look at the statut of LACP on the switch I see this :

PORT   LACP      TRUNK   PORT     LACP      LACP
NUMB   ENABLED   GROUP   STATUS   PARTNER   STATUS
-----  -------   -----   ------   -------   ------
1      Active    trk1    Up       No        Success
2      Active    trk1    Up       No        Success

I don't have any clue on what's going on so If someone have any idea and help me on this, it would be great !

Feel free to ask me anything if you need any more information !

Thanks a lot !

sysadmin1138
  • 133,124
  • 18
  • 176
  • 300
user979276
  • 11
  • 2
  • I'm fairly sure that this is not a supported configuration from Cisco. Cisco documents typically have each ASA going into *one* switch only, and then stacking or uplinks on the switches. Then you configure the ASA to poll over a dedicated FO interface to detect device or interface failure, and then you have another poll set up to poll the devices over the switching interfaces. This will then allow the ASAs to fail over in the event of a switch OR ASA failure. – Mark Henderson Nov 25 '15 at 18:20

1 Answers1

1

You can't use LACP across multiple switches unless those switches support SMLT (which the 2920 don't)

You'll have to configure the aggregated/trunk links manually.

Chris S
  • 77,945
  • 11
  • 124
  • 216