Symptom

LACP packets through an inline-set on Firepower Threat Defense (FTD) are silently dropped. These packets are not visible in inline interface captures. The outputs below are taken from a device in a controlled environment where LACP was the only traffic through the FTD. firepower# show inline-set Inline-set is35 <========Inline set Mtu is 1500 bytes Fail-open for snort down is on Fail-open for snort busy is off Tap mode is off Propagate-link-state option is off hardware-bypass mode is disabled Interface-Pair[1]: Interface: Ethernet1/3 "if3" <========Inline set member Eth1/3 Current-Status: UP Interface: Ethernet1/5 "if5" <========Inline set member Eth1/5 Current-Status: UP Bridge Group ID: 509 firepower# capture cap3 type raw-data trace interface if3 [Capturing - 0 bytes] <======== Capture without a filter firepower# capture cap5 type raw-data trace interface if5 [Capturing - 0 bytes] <======== Capture without a filter firepower# capture cap3_lacp type raw-data ethernet-type 34825 interface if3 [Capturing - 0 bytes] <======== LACP specific capture firepower# capture cap5_lacp type raw-data ethernet-type 34825 interface if5 [Capturing - 0 bytes] <======== LACP specific capture firepower# capture capasp type asp-drop all [Capturing - 0 bytes] <========= No packets in ASP drop captures Ethernet-type 34825 above is the hexadecimal representation of LACP/Slow protocols (0x8809). Firepower internal switch statistics can be checked using the port manager counters in the local-management command shell. The sent counter for both interfaces does not increase: > connect fxos firepower# connect local-mgmt firepower(local-mgmt)# show portmanager counters ethernet 1 3 | egrep invert-match ": 0" Good Octets Received : 48184 Good Packets Received : 284 <======== Good packets received MC Packets Received : 284 <======== Multicast packets received Size 128 to 255 : 284 <======== Multicast packet size linkChange : 3 firepower(local-mgmt)# show portmanager counters ethernet 1 5 | egrep invert-match ": 0" Good Octets Received : 55058 Good Packets Received : 306 <======== Good packets received MC Packets Received : 306 <======== Multicast packets received Size 128 to 255 : 225 <======== Multicast packet size Size 256 to 511 : 149 linkChange : 3 The 'show portmanager switch mac-filters' command provides packet/byte statistics for each MAC-address based rule: port ix MAC mask action packets bytes ... 03 003 00:00:00:00:00:00 01:00:00:00:00:00 FORWARD 00f 01:00:00:00:00:00 01:00:00:00:00:00 FORWARD 65 10030 021 10:B3:D5:BB:0F:06 FF:FF:FF:FF:FF:FF FORWARD 026 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD <============= No match for LACP packets 034 10:B3:D5:BB:0F:26 FF:FF:FF:FF:FF:FF FORWARD 035 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 3eb 00:00:00:00:00:00 01:00:00:00:00:00 DROP 3f7 01:00:00:00:00:00 01:00:00:00:00:00 DROP ... 05 005 00:00:00:00:00:00 01:00:00:00:00:00 FORWARD 011 01:00:00:00:00:00 01:00:00:00:00:00 FORWARD 66 10675 01f 10:B3:D5:BB:0F:08 FF:FF:FF:FF:FF:FF FORWARD 028 01:80:C2:00:00:02 FF:FF:FF:FF:FF:FF FORWARD <============= No match for LACP packets 038 10:B3:D5:BB:0F:28 FF:FF:FF:FF:FF:FF FORWARD 039 FF:FF:FF:FF:FF:FF FF:FF:FF:FF:FF:FF FORWARD 3ed 00:00:00:00:00:00 01:00:00:00:00:00 DROP 3f9 01:00:00:00:00:00 01:00:00:00:00:00 DROP On the devices connected through the inline-set, LACP sent counters are increasing, while received counters do not, hence port-channel is not coming up: N3K-1# show port-channel summary interface port-channel 1 Flags: D - Down P - Up in port-channel (members) I - Individual H - Hot-standby (LACP only) s - Suspended r - Module-removed b - BFD Session Wait S - Switched R - Routed U - Up (port-channel) p - Up in delay-lacp mode (member) M - Not in use. Min-links not met -------------------------------------------------------------------------------- Group Port- Type Protocol Member Ports Channel -------------------------------------------------------------------------------- 1 Po1(RD) Eth LACP Eth1/5(I) <========== Individual mode N3K-1# show lacp counters interface port-channel 1 NOTE: Clear lacp counters to get accurate statistics ------------------------------------------------------------------------------ LACPDUs Markers/Resp LACPDUs Port Sent Recv Recv Sent Pkts Err ------------------------------------------------------------------------------ port-channel1 Ethernet1/5 190 0 0 0 0 <========== Recv = 0

Conditions

Firepower 1100 Series with FTD and inline sets.

Workaround

Use port-channel On mode.

Further Problem Description