ASA port-channel command on IOS v. 9.0(4)

Similar Messages

• ASA5550 port channel configuration ERROR: nameif not allowed on empty etherchannel interface

  Hi All,
  I am having problem when configure port channel on asa5550 
  IOS ver asa914-k8.bin also in ver 9.02   and 8.47.
  Please let me know how can I solve this problem.
  UK-LON-FW(config)# int port-channel 3
  UK-LON-FW(config-if)# vlan 245
                         ^
  ERROR: % Invalid input detected at '^' marker.
  UK-LON-FW(config-if)# nameif secure
  ERROR: nameif not allowed on empty etherchannel interface.
  UK-LON-FW(config-if)#
  here is my interfaces configuration:
  interface GigabitEthernet0/0
  description fw1:G0/0 to uk-lon-gw1:e1/8 fw2:G0/0 to uk-lon-gw2:e1/9 outside zone
  channel-group 1 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/1
  description fw1:G0/1 to uk-lon-gw2:e1/8 fw2:G0/1 to uk-lon-gw1:e1/9 outside zone
  channel-group 1 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/2
  description fw1:G0/2 to uk-lon-sw1a:1 fw2:G0/2 to uk-lon-sw1a:2 dmz
  channel-group 2 mode on
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet0/3
  description fw1:G0/3 to uk-lon-sw1b: fw2:G0/3 to uk-lon-sw1b:2 dmz
  channel-group 2 mode on
  no nameif   
  no security-level
  no ip address
  interface Management0/0
  management-only
  nameif management
  security-level 0
  ip address 10.10.51.18 255.255.254.0
  interface GigabitEthernet1/0
  description fw1:G1/0 to uk-lon-sw1a:3 fw2:G1/0 to uk-lon-sw1a:4 secure zone
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/1
  description fw1:G1/1 to uk-lon-sw1b:3 fw2:G1/1 to uk-lon-sw1b:4 secure zone
  no nameif
  no security-level
  no ip address
  interface GigabitEthernet1/2
  description LAN Failover Interface
  no nameif   
  no security-level
  no ip address
  interface GigabitEthernet1/3
  description STATE Failover Interface
  no nameif
  no security-level
  no ip address
  interface Port-channel1
  description outside zone
  no nameif
  no security-level
  no ip address
  interface Port-channel1.5
  description outside zone Bundle FW:G0/0-G0/1 connect to GW1:e1/8-GW2:e1/8
  vlan 5
  nameif outside
  security-level 0
  ip address 216.239.105.5 255.255.255.128 standby 216.239.105.6
  interface Port-channel2
  description dmz Bunlde uk-lon-fw:G0/2-3 to sw1a:1-2 sw1b:1-2
  no nameif
  no security-level
  no ip address
  interface Port-channel2.105
  description dmz
  vlan 105
  nameif dmz
  security-level 50
  ip address 216.239.105.193 255.255.255.192 standby 216.239.105.194
  interface Port-channel3
  description secure zone Bunlde uk-lon-fw:G1/0-1 to sw1a:3-3 sw1b:3-4
  no nameif
  security-level 100
  ip address 10.254.105.1 255.255.255.0 standby 10.254.105.2
  UK-LON-FW(config-if)# 

  Hi Marvin,
  Thank you for your answer.  I did everything but it did not work. Turn out it is a bug ver 8.45 will let you created the sub logical interface but actually it did not work right.  Verson 9.x  doesn't let you create more than 2 port channel (limitation of ASA5550 hardware).
  https://tools.cisco.com/bugsearch/bug/CSCtq62715/?reffering_site=dumpcr 
  Also, you can see the 8.4 release notes were you can see that it is not supported:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html#pgfId-522232
  Interface Features
  EtherChannel support (ASA 5510 and higher)
  You can configure up to 48 802.3ad EtherChannels of eight active interfaces each.
  Note You cannot use interfaces on the 4GE SSM, including the integrated 4GE SSM in slot 1 on the ASA 5550, as part of an EtherChannel.
  We introduced the following commands: channel-group , lacp port-priority , interface port-channel , lacp max-bundle , port-channel min-bundle , port-channel load-balance , lacp system-priority , clear lacp counters , show lacp , show port-channel .

• Port channel issue in ASA

  We have two Cisco ASA 55XX Firewalls and both are in HA (Active/Standy). Two ports from each Firewall is connecting two ports of Nexus 5K Switch and running port channel between Firewall & Nexus Switch and port-channel is UP. And Switches having back to back connection with allowed all VLAN trunk port.
  FW01 ----------------- SW01 (Two ports with Port channel)
  FW02 ----------------- SW02 (Two ports with Port channel)
  I have VLAN 10 with IP Subnet 10.10.10.0/28
  SW01 : 10.10.10.2
  SW02 : 10.10.10.3
  HSRP IP : 10.10.10.1
  FWs :  10.10.10.4 & 10.10.10.5
  Firewall Default Gateway : 10.10.10.1
  Problem : I am not able Ping Firewall IPs from Nexus Switches. When I checked ARP table in Nexus Switch; I have observed that Firealls two IPs having same MAC address; when I checked that MAC address in the Firewall; that MAC address is Port channel interface MAC address.
  This is issue (two IPs learing same MAC address) from ASA.
  How to fix this issue ?
  Thanks
  Venkat

  Hi,
  What version of IOS are you running on the ASAs?
  see table-12-3 in this link:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
  Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
  HTH

• Disappointed: ASA 8.4 Redundant using Port-channels

  So I finally got all our ASAs upgrade to version 8.4 and was all sorts of excited to configure port-channels to our 6500 + SUP7203B switches.  I was severally disappointed to discover that I cannot configure two port-channels and have them be members of a redundant interface pair.  It would seem like a logical topology.
  Port-channel1 = Gig0/0 & Gig0/1
  Port-channel2 = Gig0/2 & Gig0/3
  Redundant1 = Port-channel1 & Port-channel2
  Port-channel1 would connect to the primary 6500
  Port-channel2 would connect to the backup 6500
  What would it take to make this work?  Am I going to have to wait for 8.5?  Will we finally get BGP then too? (Had to get that in there)
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html#wp1329357
  EtherChannel Guidelines
  •You can configure up to 48 EtherChannels.
  •Each channel group can have eight active interfaces. Note that you can assign up to 16 interfaces to a channel group. While only eight interfaces can be active, the remaining interfaces can act as standby links in case of interface failure.
  •All interfaces in the channel group must be the same type and speed. The first interface added to the channel group determines the correct type and speed.
  •The device to which you connect the ASA 5500 EtherChannel must also support 802.3ad EtherChannels; for example, you can connect to the Catalyst 6500 switch.
  •All ASA configuration refers to the logical EtherChannel interface instead of the member physical interfaces.
  •You cannot use a redundant interface as part of an EtherChannel, nor can you use an EtherChannel as part of a redundant interface. You cannot use the same physical interfaces in a redundant interface and an EtherChannel interface. You can, however, configure both types on the ASA if they do not use the same physical interfaces.

  Hello Yaplej,
  Agree with you but unfortunetly this is not supported yet,
  We migh need to wait some time before this desing can be accomplish,
  Regards,
  If you do not have any other question please mark the question as answered

• ASA 5585 port-channels

  I want to create a port-channel with 2 10Gbs interfaces on 2 ASA 5585 firewalls, and set them up in a failover pair.
  In order to do this, do I simply put two 10Gbs interfaces into a channel and then configure the IP addressing and failover address on the logical port-channel interface? (aka interface po1).
  Any limitations with this?

  Yes, that is exactly what you do..
  Create portchannel on switch and ASA
  Trunk the vlan on switch side
  Create logical interfaces on ASA

• ASA EIGRP Port Channel Bug?

  Hi All
  I have EIGRP configured on an ASA5512-X code version 9.1(4). When I do a "show eigrp interfaces" the Port Channel linking to the adjacent router is not listed. It is not a passive interface (even did a "no passive-interface outside" to double check). Other interfaces are listed. Debugging EIGRP shows no hellos arriving on that interface either, even though a debug on the adjacent router confirms they are being sent. Am I missing something or is this a bug?
  Thanks for looking!
  - James

  Hello,
  It does... Thanks for the explanation
  Now if you are behind the inside interface you should be able to ping it.
  Can you share the show run icmp
  Also do the following on the ASA
  cap capin interface inside match icmp any host 172.17.120.254
  cap asp type asp-drop all circular-buffer
  Then try to ping the ASA inside interface and provide me:
  show cap capin
  show cap asp | include 172.17.120.254
  Regards,
  We are here to help, Remember to rate all the post that help ( If you do not know how to rate a post, just let me know, I will let you know how )
  Julio

• Port channel asa

  Hi!
  Is it possible to configure etherchannel on Cisco ASA 5580 (ASA5580-4GE-CU card) ?
  Thanks for your help,

  Hi , 
   Yes its supports etherchannel , traffic among your port-channel will be as below 
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
  Table 12-2 Load Distribution per Interface 
  # of Active Interfaces
  % Distribution Per Interface
  1
  2
  3
  4
  5
  6
  7
  8
  1
  100%
  2
  50%
  50%
  3
  37.5%
  37.5%
  25%
  4
  25%
  25%
  25%
  25%
  5
  25%
  25%
  25%
  12.5%
  12.5%
  6
  25%
  25%
  12.5%
  12.5%
  12.5%
  12.5%
  7
  25%
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  8
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  12.5%
  HTH
  Sandy

• IOS to NXOS VPC PORT CHANNEL

  Hello
  I have a pair of Nexus 5K's in a VPC domain and some 2960's as VPC members, with a port channel to the domain.
  Topology is as follows:
  5K1 and 5K2 in VPC domain
  VPC from 5K1 and 5K2 to 2960
  2960 has gi0/1 and gi0/2 in 1 port channel
  gi0/1 to 5k1, gi0/2 to 5k2
  I know that what I am going to ask may be totally against the purpose of VPC, but, I am looking for a way to favour gi0/1 for traffic, rather than load balancing over gi0/1 and gi0/2. The reaon for this is that I would like to benefit from the lack of loop that VPC provides, but would also like to have a primary and secondary link as the majority of traffic should actually go via 5K1, rather than 5K2.
  Any suggestions welcome.
  Many thanks in advance
  Anthony

  Hi Anthony,
  The Cisco NX-OS software load balances traffic across all operational interfaces in a portchannel by hashing the addresses in the frame to a numerical value that selects one of the links in the channel. Port channels provide load balancing by default. Port-channel load-balancing uses MAC addresses, IP addresses, or Layer 4 port numbers to select the link. Port-channel load balancing uses either source or destination addresses or ports, or both source and destination addresses or ports.
  You can configure the load-balancing mode to apply to all port channels that are configured on the entire device or on specified modules. The per-module configuration takes precedence over the load-balancing configuration for the entire device. You can configure one load-balancing mode for the entire device, a different mode for specified
  modules, and another mode for the other specified modules. You cannot configure the load-balancing method per port channel.
  You can configure the type of load-balancing algorithm used. You can choose the load-balancing algorithm that determines which member port to select for egress traffic by looking at the fields in the frame.
  Note:  The default load-balancing mode for Layer 3 interfaces is the source and destination IP address, and the default load-balancing mode for non-IP interfaces is the source and destination MAC address.
  From the config mode you can try different load-balacing method ,
  port-channel load-balance {dest-ip-port | dest-ip-port-vlan |
  destination-ip-vlan | destination-mac | destination-port | source-dest-ip-port | source-dest-ip-port-vlan | source-dest-ip-vlan | source-dest-mac | source-dest-port | source-ip-port | source-ip-port-vlan | source-ip-vlan | source-mac | source-port} [module-number]
  To Summarize: I cannot say which port would be selected, it purely depends on type of frame you are sending with the combination of the load-balance method.
  After tweaking you can also know from the command which link the traffic is taking,
  NEXUS2-SPAN# show port-channel load-balance forwarding-path interface port-channel 71 src-ip 1.1.1.1 dst-ip 2.2.2.2 vlan 51 module 2
  Module 2: Missing params will be substituted by 0's.
  Load-balance Algorithm: src-dst ip-l4port
  RBH: 0xb0       Outgoing port id: Ethernet8/8
  we can also try tweaking the same load-balancing on the 2960 also. It purely depends on the load-balancing algorithm. Below is for 2960 Load-balancing tweaking,
  http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_53_se/configuration/guide/swethchl.html
  Even after doing this i wouldnt say 100% it would select one link.
  Hope this helps!
  Thanks,
  Richard.
  *Rate if this is useful

• Pppoe over port-channels on ios xe

  has the ability to do pppoe and QinQ over port-channels been added to IOS XE? as of 2.6 it was not but I cannot find any documentation on 3.1-3.3 to say that it has or hasn't
  Does any one use a asr1000 as a BRAS and if so how do you handle redundancy in case of the loss of a primary interface handling your pppoe sessions?

  Hi Artyom,
  Try removing "ipv6 nd managed-config-flag" and see if it helps.
  Regards

• 2960x port channel bandwidth command workaround

  Folks:
  I am looking for a work around - Currently I have a four member 2960x switch stack - I have Ten 1/0/1 and Ten 3/0/1 in a port-channel; however, when I try to set the 'bandwidth' on PO1 interface to 20000000 I receive an error, which corresponds being out of range, due to the links being 10Gbps.
  Is there a work around so my PO1 interface reflects the correct bandwidth?
  Switch I am using and version of software
  Switch Ports Model              SW Version            SW Image
  *    1 52    WS-C2960X-48TD-L   15.0(2)EX5            C2960X-UNIVERSALK9-M
  Thank you
  JJ

  The tx-/rxload is probably the least of your problems. Assuming we're talking about a L2 port-channel the interface BW is base for spanning tree cost calculation. With a BW 10000000 kbit/s STP would consider the port-channel equal to a single 10GE link and could possibly decide to block your port-channel for a less favorable link.
  That being said, the port-channel is supposed to have the correct BW corresponding to the number of bundled links without any need for manual user configuration.
  I suppose it is either a software bug or there is an interface not bundled correctly. 
  Post the result of 'show etherc sum' here to check.
  Regards

• Interfaces in port-channel keep err-disabling because of keepalives

  Below is the current portchannel that I am having problems with.  The interfaces on Switch A keep going into an error disabled state because they receive their own loopback.  Cisco says to disable keepalives and that it will fix the problem, but I do not like the idea of disabling keepalives.  Has anyone found a solution other than disabling keepalives?  Notice that ios's are different, but am not convinced that this is the issue.  Also one is PoE and the other isn't.  Lastly, i found this article "Keepalives are sent on all interfaces by default in Cisco IOS Software Release 12.1EA-based software. In Cisco IOS Software Release 12.2SE-based software and later, keepalives are not sent by default on fiber and uplink interfaces".  I would think trunked interfaces in a port-channel would be uplink interfaces and if this is true, it should be sending out keepalives anyway since i am running the 12.2SE based ios.  Thanks for whatever input you may have.
  Switch A
  C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c3750e-universalk9-mz.122-55.SE3/c3750e-universalk9-mz.122-55.SE3.bin"
  cisco WS-C3750X-48P
  Port-channels in the group:
  Port-channel: Po52
  Age of the Port-channel   = 219d:04h:32m:49s
  Logical slot/port   = 10/39          Number of ports = 4
  GC                  = 0x00000000      HotStandBy port = null
  Port state          = Port-channel Ag-Inuse
  Protocol            =    -
  Port security       = Disabled
  Ports in the Port-channel:
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Gi1/0/35 On                 0
    0     00     Gi1/0/36 On                 0
    0     00     Gi2/0/45 On                 0
    0     00     Gi2/0/46 On                 0
  %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on GigabitEthernet1/0/35.
  %PM-4-ERR_DISABLE: loopback error detected on Gi1/0/35, putting Gi1/0/35 in err-disable state
  %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/35, changed state to down
  %LINEPROTO-5-UPDOWN: Line protocol on Interface Port-channel39, changed state to down
  %LINK-3-UPDOWN: Interface Port-channel39, changed state to down
  Switch B
  C3750E Boot Loader (C3750X-HBOOT-M) Version 12.2(53r)SE2, RELEASE SOFTWARE (fc1)
  System image file is "flash:/c3750e-universalk9-mz.122-58.SE2/c3750e-universalk9-mz.122-58.SE2.bin"
  cisco WS-C3750X-48
  Port-channels in the group:
  Port-channel: Po52
  Age of the Port-channel   = 443d:18h:43m:06s
  Logical slot/port   = 10/39          Number of ports = 4
  GC                  = 0x00000000      HotStandBy port = null
  Port state          = Port-channel Ag-Inuse
  Protocol            =    -
  Port security       = Disabled
  Ports in the Port-channel:
  Index   Load   Port     EC state        No of bits
  ------+------+------+------------------+-----------
    0     00     Gi1/0/35 On                 0
    0     00     Gi1/0/36 On                 0
    0     00     Gi1/0/45 On                 0
    0     00     Gi1/0/46 On                 0

  PER CISCO
  Symptom:
  An interface on a Catalyst switch is errordisabled after detecting a loopback.
  Mar 7 03:20:40: %ETHCNTR-3-LOOP_BACK_DETECTED: Loop-back detected on
  GigabitEthernet0/2. The port is forced to linkdown.
  Mar 7 03:20:42: %LINK-5-CHANGED: Interface GigabitEthernet0/2, changed state
  to administratively down
  Mar 7 03:20:43: %LINEPROTO-5-UPDOWN: Line protocol on Interface
  GigabitEthernet0/2, changed state to down
  Conditions:
  This might be seen on a Catalyst 2940, 2950, 2950-LRE, 2955, 2970, 3550, 3560
  or 3750 switch running 12.1EA or 12.2SE based code.
  Workaround:
  Disable keepalives by using the no keepalive interface command. This
  will prevent the port from being errdisabled, but it does not resolve the root
  cause of the problem. Please see section below for more information.
  Additional Information:
  The problem occurs because the keepalive packet is looped back to the port that
  sent the keepalive. There is a loop in the network. Although disabling the
  keepalive will prevent the interface from being errdisabled, it will not remove
  the loop.
  The problem is aggravated if there are a large number of Topology Change
  Notifications on the network. When a switch receives a BPDU with the Topology
  Change bit set, the switch will fast age the MAC Address table. When this
  happens, the number of flooded packets increases because the MAC Address table
  is empty.

• WLC LAG Mode and Port Channel

  So I was reading the controller best practices and got this:
  When you use LAG, the controller relies on the switch for the load balancing decisions on traffic that come from the network. It expects that traffic that belongs to an AP always enters on the same port. Use only ip-src or ip-src ip-dst load balancing options in the switch EtherChannel configuration. Some switch models might use unsupported load balancing mechanisms by default, so it is important to verify.
  This is how to verify the EtherChannel load balancing mechanism:
  switch#show etherchannel load-balance
  EtherChannel Load-Balancing Configuration:
  src-dst-ip
  EtherChannel Load-Balancing Addresses Used Per-Protocol:
  Non-IP: Source XOR Destination MAC address
  IPv4: Source XOR Destination IP address
  IPv6: Source XOR Destination IP address
  This is how to change the switch configuration (IOS):
  switch(config)#port-channel load-balance src-dst-ip
  Now Cisco switches by default will do src-mac.  If I make this change obviously this would be a global change.  I don't believe it should cause any performance issues but wanted to get some expert opinions on this.  Switches my controller will be connected to will also have two routers connected as well via Port Channel.
  I'm trying to understand the reasoning behind this.

  I've never seen that command cause any issues in any deployment I've worked on.
  HTH,
  Steve

• Nexus 1010v interfaces, port-channel, Catalyst 6500E VSS

  I'm installing a pair of 1010v-X appliances using flexible network option 5 on version 4.2(1)SP1(5.1).
  I have all interfaces grouped into a single port channel 6.  All interfaces uplink to a pair of Catalyst 6506Es in a VSS (Sup2T).
  My question relates to the VSS configuration.
  For example, do I set up one port-channel on the VSS and put all 12 interfaces in it? Or, do I set up two port-channels on the VSS and put the active 1010v-X in one port-channel and the standby into another port-channel?
  Do I set dot1q trunking up on the port-channel(s) on the VSS?
  Thanks.

  Hi,
  What version of IOS are you running on the ASAs?
  see table-12-3 in this link:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_start.html
  Also, since the 4500x are in VSS mode, you need to bundle one link from each switch and use LACP.
  HTH

• 7200/7301 MTU issue on Port-Channel

  Hi guys,
  I have an issue with MTU on port-channel :
  When I create a port-channel interface, I can set MTU to 1530 max
  When I configure an interface in this port-channel, I can set port-channel MTU to 9216 max.
  But when I reload, "mtu 9216" command is rejected and port-channel MTU is set to 1500 :
   mtu 9216
          ^
  % Invalid input detected at '^' marker.
  %Interface MTU set to channel-group MTU 1500.
  IOS version is 12.4(25g)
  Thank you so much.

  Hi guys,
  I have an issue with MTU on port-channel :
  When I create a port-channel interface, I can set MTU to 1530 max
  When I configure an interface in this port-channel, I can set port-channel MTU to 9216 max.
  But when I reload, "mtu 9216" command is rejected and port-channel MTU is set to 1500 :
   mtu 9216
          ^
  % Invalid input detected at '^' marker.
  %Interface MTU set to channel-group MTU 1500.
  IOS version is 12.4(25g)
  Thank you so much.

• MDS9513 Add ISL to Port Channel problem.

  Hi Experts,
  I have a problem when add a new ISL to an existing Port Channel config.
  The ISL port is up state and correctly configured like another ports in port channel.
  Looks bellow the error:
  MDS1300M6A# show port-channel summary
  Interface                 Total Ports        Oper Ports        First Oper Port
  port-channel 1                 4                 4                  fc12/48
  port-channel 2                 2                 2                  fc6/47
  MDS1300M6A# show port-channel database
  port-channel 1
      Administrative channel mode is active
      Operational channel mode is active
      Last membership update failed: port not compatible [Resources Unavailable]
      First operational port is fc12/48
      4 ports in total, 4 ports up
      Ports:   fc12/48  [up] *
               fc10/48  [up]
               fc11/48  [up]
               fc9/48   [up]
  Anyone seen this?
  Tks
  Wellington

  That did the trick - specifically setting the port channel to rate-mode shared.  Certainly solved the problem as far as getting all the deisred ports up in the channel, but where I still have a knowledge gap is the operational difference between dedicated and shared.  Are there any Cisco docs (beyond the command reference guide to toggle the feature) that explains why you'd choose one versus the other, and what it means from a design perspective?
  On a different note, while I'm no expert, here's some background to consider for others who may encounter the same issue (whether on UCS or a Nexus 5K).  I  (and our network team) come from an IOS background, so while the IOS "parts" of NX-OS are pretty familiar, the SAN "parts" of NX-OS are a little new.  We're also more CLI oriented, and while not impossible to configure via CLI, in our environment, the GUI for UCS seems to be more popular across the board - and we're still learning that piece as well.
  Our storage team is very familiar with SAN-OS, so they're very comfortable with the SAN "parts" of NX-OS.  But, they're very used to configuring the MDS switches via the GUI, which is what got us off track a bit.  In our scenario, creating a SAN port channel on the MDS via the GUI didn't give us the option for setting "switchport rate-mode shared"  Not saying it's not there in the GUI, but we certainly couldn't find it.
  Long story short, if the configuration of the SAN port channel on the MDS is in question, check it via the CLI and make any necessary changes there as a quick workaroud.