LACP aggregation on a ProxySG or Advanced Secure Gateway Appliance
search cancel

LACP aggregation on a ProxySG or Advanced Secure Gateway Appliance

book

Article ID: 169269

calendar_today

Updated On:

Products

ProxySG Software - SGOS SWG VA-100

Issue/Introduction

Issues are experienced on the switch connected to the Proxy interfaces that will participate in a LACP deployment.

The most common issue arises when the switch reports that the aggregate interface is up, but the ProxySG reports a state of synchronizing, which fails to change to Up.
Secondly, if there is a settings mismatch in the Timeout values the LACP setup may encounter instability.

Note: Bridge needs to be disabled if bridged interfaces are to be used to setup LACP. Please refer to TECH241706 for more information

Resolution

The synchronizing issue is likely due to a configuration error. Follow the requirements for interface aggregation below to correct the behavior.

  1. The aggregation interfaces on the switch must be configured with the same LACP port-channel and VLAN.
  2. The ProxySG aggregation Interfaces must be connected to the switch ports that are part of the same LACP port-channel and VLAN.
  3. Interface on both proxySG / ASG and Switch side must be in full duplex mode
  4. Data transmission rate / Link speed must be same on all interfaces which are part of LACP
  5. For LACP minimum Data transmission rate / Link speed has to be 1 Gbit/s

 

Two scenarios are provided below:

  1. connecting to Switch/Access interfaces
  2. connecting to Switch/Trunk interfaces

 

1. Advanced Secure Gateway (ASG) LACP Deployment Example (Access Interface)

The ASG is connected to a Cisco switch as per below details.

ASG:

ASG Interface 0:0 -- Cisco switch port 06
ASG Interface 1:0 -- Cisco switch port 05

Cisco Switch Interfaces setup:

CS1#sh run int gi0/5 
!
interface GigabitEthernet0/5
 switchport access vlan 30
 switchport mode access
 channel-protocollacp
 channel-group 2 mode active
end

CS1#sh run int gi0/6 
!
interface GigabitEthernet0/6
 switchport access vlan 30
 switchport mode access
 channel-protocollacp
 channel-group 2 mode active
end


Port Channel setup:

CS1#sh run int po2
!
interface Port-channel2
 switchport access vlan 30
 switchport mode access
end

VLAN setup:

CS1#sh run int vlan30
!
interface Vlan30
 ip address 10.xxx.15.2 255.255.255.0
 standby 30 ip 10.xxx.15.1
 standby 30 priority 200
 standby 30 preempt
end

Interface details:

CS1#sh int gi0/5   
GigabitEthernet0/5 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is 001b.536b.b385 (bia 001b.536b.b385)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 

CS1#sh int gi0/6 
GigabitEthernet0/6 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is 001b.536b.b386 (bia 001b.536b.b386)
  MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec, 

LACP details:

CS1#sh lacp internal 
Flags:  S - Device is requesting Slow LACPDUs 
        F - Device is requesting Fast LACPDUs
        A - Device is in Active mode       P - Device is in Passive mode     

Channel group 2
                            LACP port     Admin     Oper    Port        Port
Port      Flags   State     Priority      Key       Key     Number      State
Gi0/5     SA      bndl      32768         0x2       0x2     0x106       0x3D  
Gi0/6     SA      bndl      32768         0x2       0x2     0x107       0x3D  

State status legend:

bndl - show the LACP is successfully established.
indep - show the interface acting independently
down - show the interface os down/not connected/etc

ASG setup:

  1. Management Console > Proxy > Configuration > Network > Adapters > Interfaces
  2. Set an IP address on either Interface 0:0 or 1:0, in this example, we set the IP on interface 0:0 (as primary)
  3. Highlight interface 0:0 > highlight Physical Interface > Edit > Add IP > assign IP address accordingly
  4. Highlight interface 1:0 > highlight Physical Interface > Edit > remove IPv6 from this interface

User-added image

  1. Go to the Management Console > Proxy > Configuration > Network > Adapters > Aggregate Interfaces > New Aggregate Interface
  2. Enable the aggr:# by checking the box beside the enabled.
  3. Set a label for the new interface
  4. Under Aggregation, verify that the related interfaces that you would like to add into this aggregation setup are present. In this example, interface 0:0 and 1:0 are included.

User-added image

  1. After creating the aggregated interface, the LACP state shows a status of: Creation pending. Refresh the page to correct this.

User-added image

  1. If after refreshing the page, the state still reports Creation pending, close the current browser session and re-launch a new session. You should see the LACP State as # up.

User-added image

  1. If restarting the browser session didn't resolve the issue, you can login to to an enable-mode-elevated-CLI console via SSH and run the command:  show interface 0:0/1:0/aggr:0 to check on the status.


ASG CLI console output:

ASG#sh interface 0:0
  Ethernet interface 0:0
    Status:               enabled
    Internet address:     10.xxx.15.15 netmask 255.255.255.0
    Internet address:     fe80::2d0:83ff:fe09:e054 prefixlen 64
    MTU size:             1500
    Link status:          autosensed to full duplex, 1 gigabit/sec network
    Reject inbound:       disabled
    Allow intercept:      enabled
    VLAN trunk:           enabled
    Native VLAN:          1
    Spanning tree:        disabled
    IPv6 auto-linklocal:  enabled
    Routing domain:       default
    Member of aggregate interface: aggr:0
ASG#sh interface 1:0
  Ethernet interface 1:0
    Status:               enabled
    MTU size:             1500
    Link status:          autosensed to full duplex, 1 gigabit/sec network
    Reject inbound:       disabled
    Allow intercept:      enabled
    VLAN trunk:           enabled
    Native VLAN:          1
    Spanning tree:        disabled
    IPv6 auto-linklocal:  enabled
    Routing domain:       default
    Member of aggregate interface: aggr:0

ASG#sh interface aggr:0
  Aggregate interface aggr:0
    Status:               enabled
    MTU size:             1500
    LACP state:           2 Up
    Reject inbound:       disabled
    Allow intercept:      enabled
    VLAN trunk:           enabled
    Native VLAN:          1
    Spanning tree:        disabled
    IPv6 auto-linklocal:  enabled
    Member of the bridge: none
    Routing domain:       default
    Member interfaces:
        Ethernet interface 0:0
          Status:               enabled
          LACP State:           Up
          Internet address:     10.xxx.15.15 netmask 255.255.255.0
          Internet address:     fe80::2d0:83ff:fe09:e054 prefixlen 64
          Link status:          autosensed to full duplex, 1 gigabit/sec network
        Ethernet interface 1:0
          Status:               enabled
          LACP State:           Up
          Link status:          autosensed to full duplex, 1 gigabit/sec network                  
                  

LACP Timeout Values:

The timeout values for LACP should match on both the switch and the ProxySG/ ASGto prevent stability issues. The ProxySG and ASG have hard coded LACP timeout values for both 'Long' and 'Short' Timeouts. These cannot be shown on the appliance but are respectively:

  • Long Timeout = 30 seconds
  • Short Timeout = 3 seconds

 

 

 

2. ProxySG LACP Deployment Example (Trunk Interface)

The ProxySG is connected to a Cisco switch as per below details.

ProxySG Interface 0:0 -- Cisco switch port 0/7
ProxySG Interface 1:0 -- Cisco switch port 0/8

 

Cisco Switch original configuration:

interface GigabitEthernet0/7
 description ProxySG_Int0:0
 switchport acces vlan 109
 switchport mode access
!
interface GigabitEthernet0/8
 description ProxySG_Int0:1
 switchport access vlan 109
 switchport mode access


Configure the ports as trunk ports, then configure channel group 20 on the ports.

interface GigabitEthernet0/7
 description ProxySG_Int0:0
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-protocol lacp
 channel-group 20 mode active
!
interface GigabitEthernet0/8
 description ProxySG_Int0:1
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-protocol lacp
 channel-group 20 mode active


When the trunk interfaces and channel-group are configured, Port-channel interface 20 is created automatically.

interface Port-channel20
 switchport trunk encapsulation dot1q
 switchport mode trunk


VLANs configured on Cisco Switch:

interface Vlan50
 description Aggregation VLAN
 ip address 192.168.50.1 255.255.255.0
!
interface Vlan51
 description Aggregation VLAN
 ip address 192.168.51.1 255.255.255.0

interface Vlan109
 description Aggregation VLAN
 ip address 10.138.10.130 255.255.255.128

 

ProxySG setup:

In our example, x.x.10.133 is configured on interface 0:0 for accessing Management Console.

interface 0:0 ;mode
ip-address x.x.10.133 255.255.255.128
exit

 

 

After switch ports are changed to trunk ports, Management Console connection is lost, serial console/CLI is used to configure aggregation:

1. Remove IP from interface 0:0

#config t
#interface 0:0
#no ip-address 10.138.10.133
#exit

2. Create VLAN 109, and configure the interface with IP address 10.138.10.133

#interface 0:0.109
#ip-address 10.138.10.133 255.255.255.128
#exit

3. Create VLAN 50 and 51 on interface 0:0 and corresponding IP Addresses

#interface 0:0.50
#ip-address 192.168.50.33 255.255.255.0
#exit
#interface 0:0.51
#ip-address 192.168.51.33 255.255.255.0
#exit

4. Add VLAN 50, 51 and 109 to interface 1:0

#interface 1:0.109
#exit
#interface 1:0.50
#exit
#interface 1:0.51
#exit

5. Aggregate interface 0:0 and 0:1

#interface aggr:0
#add 0:0
#add 1:0


6. Verification

A. On the Cisco switch, the command show etherchannel summary displays the port-channel interface, if the port channel is established successfully, 
Ports will be in "P" state, i.e. bundled in port-channel state.
In our example, Port-channel group 20 is established successfully.

Switch#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 1
Number of aggregators:           1

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
20     Po20(SU)        LACP      Gi0/7(P)    Gi0/8(P)

 

B. Once the port-channel is up, the ProxySG should be able to ping its default gateway, 192.168.50.1 and 192.168.51.1

C. Launch ProxySG Management Console via 10.138.10.133

 

7. Testing

Go to the Switch and shut down port GE0/7, but the network is still connected.

Switch#show etherchannel summary
Flags:  D - down        P - bundled in port-channel
        I - stand-alone s - suspended
        H - Hot-standby (LACP only)
        R - Layer3      S - Layer2
        U - in use      f - failed to allocate aggregator

        M - not in use, minimum links not met
        u - unsuitable for bundling
        w - waiting to be aggregated
        d - default port

Number of channel-groups in use: 2
Number of aggregators:           2

Group  Port-channel  Protocol    Ports
------+-------------+-----------+-----------------------------------------------
1      Po1(SU)          -        Gi0/23(P)   Gi0/24(P)
20     Po20(SU)        LACP      Gi0/7(D)    Gi0/8(P)


Switch#ping 192.168.50.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.50.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms

Switch#ping 192.168.51.33
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.51.33, timeout is 2 seconds:
.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/3/9 ms

Switch#ping 10.138.10.133
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.138.10.133, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

 

Go to ProxySG, Configuration > Network > Adapters > Aggregate Interface > LACP State: 1 UP 1 Down

 

Additional Information

This configuration is not working for proxy running on SSP-410,For ISG configuration please refer to the below tech note. 
https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/integrated-secure-gateway/2-3/About-ISG/manage-lags.html