Hi!
I am having trouble creating a LAG on an MS225 switch and having it work with a Cisco Firepower 1140 firewall that has a port channel configured with sub-interfaces. I can create the LAG on the switch, and port channel on the firewall, but the two do not seem to work with each other when I create a sub-interface on the firewalls port channel with an IP and VLAN defined; there is no connectivity essentially.
The only way it works if I forgo creating a sub-interface on the firewalls port-channel and just configure an IP address on the port-channel itself on the firewall. This is how it's currently set up and this works, but not how I want it as I need to have those sub-interfaces to cater for various networks.
Here's an image of the current configuration - port-channel1 works fine as the IP address is defined on the channel itself and is on the default VLAN (1). If I were to remove the IP from the port-channel itself and add a sub-interface to it and configure that with an IP and the relevant VLAN that's where I run into the issue of no connectivity. Port-channel2 in the image is one I've set up for testing, and is essentially what port-channel1 looked like when I ran into this issue.
LACP mode on the firewall for the port-channel is configurable and is either "active" or "on". For both you can specify an active MAC address and standby MAC address. There are no other LACP-specific configuration options. I noticed on the switch there's no such variable you can configure beyond adding X number of ports to a LAG.
LACP mode on the firewalls port-channel is currently set to "Active" and this is the case for the currently working condition and the preferred but not working condition.
Other than the configurable options for LACP on the port-channel of the firewall, am I missing anything obvious? Lack of configurable options on the switch only really gives me the limited LACP settings on the firewall to consider. Not sure what else I can consider.
If it helps - the LAG on the switch (it's a stack of MS225's, 2 of them) is spread across the stack. 1 LAG of 2 ports (39 on each switch) go to one firewall, and 1 LAG of 2 ports (40 on each switch) go to the other firewall (HA pair of FPR 1140's)