Issues are experienced on the switch connected to the Proxy interfaces that will participate in a LACP deployment.
The most common issue arises when the switch reports that the aggregate interface is up, but the ProxySG reports a state of synchronizing, which fails to change to Up.
Secondly, if there is a settings mismatch in the Timeout values the LACP setup may encounter instability.
Note: Bridge needs to be disabled if bridged interfaces are to be used to setup LACP. Please refer to TECH241706 for more information
The synchronizing issue is likely due to a configuration error. Follow the requirements for interface aggregation below to correct the behavior.
Two scenarios are provided below:
The ASG is connected to a Cisco switch as per below details.
ASG:
ASG Interface 0:0 -- Cisco switch port 06
ASG Interface 1:0 -- Cisco switch port 05
Cisco Switch Interfaces setup:
CS1#sh run int gi0/5 ! interface GigabitEthernet0/5 switchport access vlan 30 switchport mode access channel-protocollacp channel-group 2 mode active end CS1#sh run int gi0/6 ! interface GigabitEthernet0/6 switchport access vlan 30 switchport mode access channel-protocollacp channel-group 2 mode active end Port Channel setup: CS1#sh run int po2 ! interface Port-channel2 switchport access vlan 30 switchport mode access end VLAN setup: CS1#sh run int vlan30 ! interface Vlan30 ip address 10.xxx.15.2 255.255.255.0 standby 30 ip 10.xxx.15.1 standby 30 priority 200 standby 30 preempt end Interface details: CS1#sh int gi0/5 GigabitEthernet0/5 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 001b.536b.b385 (bia 001b.536b.b385) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, CS1#sh int gi0/6 GigabitEthernet0/6 is up, line protocol is up (connected) Hardware is Gigabit Ethernet, address is 001b.536b.b386 (bia 001b.536b.b386) MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, LACP details: CS1#sh lacp internal Flags: S - Device is requesting Slow LACPDUs F - Device is requesting Fast LACPDUs A - Device is in Active mode P - Device is in Passive mode Channel group 2 LACP port Admin Oper Port Port Port Flags State Priority Key Key Number State Gi0/5 SA bndl 32768 0x2 0x2 0x106 0x3D Gi0/6 SA bndl 32768 0x2 0x2 0x107 0x3D State status legend:
bndl - show the LACP is successfully established.
indep - show the interface acting independently
down - show the interface os down/not connected/etc
ASG setup:
ASG CLI console output:
ASG#sh interface 0:0
Ethernet interface 0:0
Status: enabled
Internet address: 10.xxx.15.15 netmask 255.255.255.0
Internet address: fe80::2d0:83ff:fe09:e054 prefixlen 64
MTU size: 1500
Link status: autosensed to full duplex, 1 gigabit/sec network
Reject inbound: disabled
Allow intercept: enabled
VLAN trunk: enabled
Native VLAN: 1
Spanning tree: disabled
IPv6 auto-linklocal: enabled
Routing domain: default
Member of aggregate interface: aggr:0
ASG#sh interface 1:0
Ethernet interface 1:0
Status: enabled
MTU size: 1500
Link status: autosensed to full duplex, 1 gigabit/sec network
Reject inbound: disabled
Allow intercept: enabled
VLAN trunk: enabled
Native VLAN: 1
Spanning tree: disabled
IPv6 auto-linklocal: enabled
Routing domain: default
Member of aggregate interface: aggr:0
ASG#sh interface aggr:0
Aggregate interface aggr:0
Status: enabled
MTU size: 1500
LACP state: 2 Up
Reject inbound: disabled
Allow intercept: enabled
VLAN trunk: enabled
Native VLAN: 1
Spanning tree: disabled
IPv6 auto-linklocal: enabled
Member of the bridge: none
Routing domain: default
Member interfaces:
Ethernet interface 0:0
Status: enabled
LACP State: Up
Internet address: 10.xxx.15.15 netmask 255.255.255.0
Internet address: fe80::2d0:83ff:fe09:e054 prefixlen 64
Link status: autosensed to full duplex, 1 gigabit/sec network
Ethernet interface 1:0
Status: enabled
LACP State: Up
Link status: autosensed to full duplex, 1 gigabit/sec network
LACP Timeout Values:
The timeout values for LACP should match on both the switch and the ProxySG/ ASGto prevent stability issues. The ProxySG and ASG have hard coded LACP timeout values for both 'Long' and 'Short' Timeouts. These cannot be shown on the appliance but are respectively:
The ProxySG is connected to a Cisco switch as per below details.
ProxySG Interface 0:0 -- Cisco switch port 0/7
ProxySG Interface 1:0 -- Cisco switch port 0/8
Cisco Switch original configuration:
interface GigabitEthernet0/7 description ProxySG_Int0:0 switchport acces vlan 109 switchport mode access ! interface GigabitEthernet0/8 description ProxySG_Int0:1 switchport access vlan 109 switchport mode access
Configure the ports as trunk ports, then configure channel group 20 on the ports.
interface GigabitEthernet0/7 description ProxySG_Int0:0 switchport trunk encapsulation dot1q switchport mode trunk channel-protocol lacp channel-group 20 mode active ! interface GigabitEthernet0/8 description ProxySG_Int0:1 switchport trunk encapsulation dot1q switchport mode trunk channel-protocol lacp channel-group 20 mode active
When the trunk interfaces and channel-group are configured, Port-channel interface 20 is created automatically.
interface Port-channel20 switchport trunk encapsulation dot1q switchport mode trunk
VLANs configured on Cisco Switch:
interface Vlan50 description Aggregation VLAN ip address 192.168.50.1 255.255.255.0 ! interface Vlan51 description Aggregation VLAN ip address 192.168.51.1 255.255.255.0 interface Vlan109 description Aggregation VLAN ip address 10.138.10.130 255.255.255.128
ProxySG setup:
In our example, x.x.10.133 is configured on interface 0:0 for accessing Management Console.
interface 0:0 ;mode ip-address x.x.10.133 255.255.255.128 exit
After switch ports are changed to trunk ports, Management Console connection is lost, serial console/CLI is used to configure aggregation:
#config t #interface 0:0 #no ip-address 10.138.10.133 #exit
#interface 0:0.109 #ip-address 10.138.10.133 255.255.255.128 #exit
#interface 0:0.50 #ip-address 192.168.50.33 255.255.255.0 #exit #interface 0:0.51 #ip-address 192.168.51.33 255.255.255.0 #exit
#interface 1:0.109 #exit #interface 1:0.50 #exit #interface 1:0.51 #exit
#interface aggr:0 #add 0:0 #add 1:0
A. On the Cisco switch, the command show etherchannel summary displays the port-channel interface, if the port channel is established successfully,
Ports will be in "P" state, i.e. bundled in port-channel state.
In our example, Port-channel group 20 is established successfully.
Switch#show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------- 20 Po20(SU) LACP Gi0/7(P) Gi0/8(P)
B. Once the port-channel is up, the ProxySG should be able to ping its default gateway, 192.168.50.1 and 192.168.51.1
C. Launch ProxySG Management Console via 10.138.10.133
Go to the Switch and shut down port GE0/7, but the network is still connected.
Switch#show etherchannel summary
Flags: D - down P - bundled in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3 S - Layer2
U - in use f - failed to allocate aggregator
M - not in use, minimum links not met
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
Number of channel-groups in use: 2
Number of aggregators: 2
Group Port-channel Protocol Ports
------+-------------+-----------+-----------------------------------------------
1 Po1(SU) - Gi0/23(P) Gi0/24(P)
20 Po20(SU) LACP Gi0/7(D) Gi0/8(P)
Switch#ping 192.168.50.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
Switch#ping 192.168.51.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.51.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms
Switch#ping 10.138.10.133
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.138.10.133, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms
Go to ProxySG, Configuration > Network > Adapters > Aggregate Interface > LACP State: 1 UP 1 Down
This configuration is not working for proxy running on SSP-410,For ISG configuration please refer to the below tech note.
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/integrated-secure-gateway/2-3/About-ISG/manage-lags.html