cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2428
Views
10
Helpful
4
Replies

Issues with ASA multiple context and shared interface

greivin.viquez
Level 1
Level 1

Hello.

I have this ASA with 2 context sharing the outside interface. No matter what I do, there is no communication on the outside interface.

The sample topology is very simple, the eth0/0 interface of the ASA is conected to VLAN4. On that VLAN4 there us only 1 router.

Here is a sample of the config:

!

!******************* ASA SYSTEM CONTEXT

!

mac-address auto

!

interface Ethernet0/0

!

interface Ethernet0/0.3

vlan 3

!

interface Ethernet0/0.4

vlan 4

!

interface Ethernet0/1

!

interface Ethernet0/2

!

interface Ethernet0/3

!

interface Management0/0

shutdown

!

admin-context admin

context admin

config-url disk0:/admin.cfg

!

context C2

allocate-interface Ethernet0/0.3-Ethernet0/0.4 visible

allocate-interface Ethernet0/2 visible

config-url disk0:/c1.cfg

!

context C2

allocate-interface Ethernet0/0.4 visible

allocate-interface Ethernet0/1 visible

config-url disk0:/c2.cfg

!

!

!******************* ASA Context "C1"

!

!

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface Ethernet0/0.3

nameif DMZ

security-level 10

ip address 192.168.2.1 255.255.255.0

!

interface Ethernet0/0.4

nameif outside

security-level 0

ip address 192.168.3.1 255.255.255.0

!

!

!******************* ASA Context "C2"

!

!

interface Ethernet0/0.4

nameif outside

security-level 0

ip address 192.168.3.2 255.255.255.0

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 1921.68.4.2 255.255.255.0

!

!

!

!

!******************* SW Config.

!

!

!

hostname SW3

!

interface FastEthernet0/2

description **************************** R2 F1/1

switchport access vlan 4

switchport mode access

!

interface FastEthernet0/10

description ************************** ASA eth 0/0

switchport trunk encapsulation dot1q

switchport trunk native vlan 4

switchport trunk allowed vlan 3,4

switchport mode trunk

!

interface Vlan4

ip address 192.168.3.203 255.255.255.0

!

!

!

!

!******************* Router config Config.

!

!

!

hostname R2

!

!

interface FastEthernet1/1

no switchport

ip address 192.168.3.3 255.255.255.0

!

TROUBLESHOOTING PROCESS:

1. A ping from R2 to SW3 responded fine.

2. A ping from SW3 to R2 responded fine.

3. A ping from C1 or C2 to SW3 has no response.

4. A ping from C1 or C2 to R2 has no response.

5. A ping from Sw3 to C1 or C2 has no response.

6. A ping from R2 to C1 or C2 has no response.

7. C1 eiher C2 never get any ARP entry from Sw3 either from R2.

8. SW3 and R2 never get any ARP entry from C1 either C2. By aware ASA interfaces has unique MAC address.

9. I found the bug "CSCsf10248" but it was fixed on 7(2)2. ASA is running 7(2)2.

10. I type in the ARP entry of the ASA-C1-Outside interface on the SW3 but nothing.

11. I?ve tried this on diferents LABS with diferent devices same OS but nothing.

12. I enabled "DEBUG ARP" on ASA, SW3 and R2 to find out. What I found is when I type in the C1-OUTSIDE ip address the ASA broadcast such information into VLAN4. SW3 and R2 get the info but never add it into the ARP Table. Then when there is a ping from ASA-C1 to R2, the "arp-request" get broadcast, R2 reply the packet BUT SW3 does not send it to ASA-C1.

13. VTP is enabled and SYN. Be aware R2 and ASA are on the same SW3.

14. If I allocate the ETHERNET0/0 to C1 and use it as outside interface (without sharing it) without changing anything else on SW3 and R2, there is perfect comunication.

15. I changed the R2 port to "TRUNK" but nothing.

16. I took out the VLAN Filter of the ASA-Eth0 port permiting all the VLAN but nothing.

I enabled "DEBUG ARP" on ASA, SW3 and R2 to find out. The attach file has more detail information.

I appreciate any Hint/help/advice.

4 Replies 4

whisperwind
Level 1
Level 1

I see that your ASA has a single outside interface (e0/0) that you have correctly designated sub interfaces on( e0/0.3 and .3) upon which you have assigned them to vlans and you state the ASA interface is connected to the router fa1/1

I would recommend changing the router interface to reflect the sub interfaces / vlans you hvae configured on the asa.

You see the asa is talking dot1q now out that interface and the router is not, the router according to your config is just talking ethernet with no vlans.

This link and the diagram show you visually what I am saying

http://cisco.com/en/US/partner/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

greivin.viquez
Level 1
Level 1

JUST TO DOCUMENT THIS CONVERSATION FOR OTHERS OUT THERE:

I found the problem.... AN ASA BUG. The issue was not with the multiple context shared interface BUT with the "vlan" configuration and "switching trunk native vlan id" been the same.

I found the bug id "CSCsj96350". The bug is for ASA5505 however I followed the workwaround... and it worked for my 5510. So If the switch port where the ASA is connected, has the same "trunk native vlan id" as the "vlan id" of the ASA, the ASA WILL NOT TAG them....having no communication on such network.

I tested on 7.2(2) but nothing else.

Regards,

greivin

well done on your find and thanks for the update.

Franco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: