ASA interrupt the DHCP service

Unanswered Question
Jan 4th, 2008

A consultant setup a PIX 515E for one of our clients. The PIX connects to Cisco switch 3548 XL and works fine. The client just bought another ASA 5510 and they connected it to 3560G. It seems OK at beginning, but next day, some computers that need to renew the IP addresses, could not receive the IP from the DHCP. Other computer without renewing IP work as normal.

Since they could not reach the Cisco consultant, they called me for help (I setup windows server for them). I asked them to disconnect the ASA from the switch, then those computers work now. The following are the ports' settings on the both ports PIX and ASA connect to.

PIX to 3548:

interface FastEthernet0/8

switchport trunk encapsulation dot1q

switchport mode trunk

ASA to 3560G:

interface GigabitEthernet0/48

Can I assume the problem is the ASA connect to 1GB port? If yes, they should configure the speed to 100MB on the 3560G or connect ASA to 3548. Can some one confirm that? Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 01/04/2008 - 13:42

Bob, it would be nice to get a bit more information on what is the purpose of the ASA installed in the 3548g switch and how it is configured. From your description it seems ASA was just pluged into switch when opened from the box using default factory settings which has a short dhcp enable address pool on the 192.168.1.0/24 network on the inside interface, perhaps the client's internal network also has this same ip scheme.

In any case, to answer your question the ASA FE ports can do up to 100MB, not GIG, but does have the capability to autosence and if the gig port is auto on the 3560g switch the interfaces will come up.

You may hardcode speed and duplex in ASA as:

interface ethernet0/2

speed 100

duplex full

Rgds

Jorge

chicagotech Fri, 01/04/2008 - 14:50

Hi Jorge,

Thank you for the reply.

1. They will use ASA for VPN server.

2. I don't think the DHCP on the ASA is enabled. You may double check the configuration here: http://www.howtocisco.com/cisco/samples/5510config1.htm

3. Should we do hardcode speed and duplex you mentioned in the ASA only? Or should we do them on both switch and ASA?

4. If we connect ASA to 3548 switch which is 100MB speed, do we need to configure the speed and duplex?

JORGE RODRIGUEZ Fri, 01/04/2008 - 16:58

You can configure the speed duplex either way hardcoded or auto/auto as long as both ends are consistant with one another with transmission settings ASA and switch connection will co-exist happily, I have PIXes in auto/auto without issues and ASAs with hardcoded settings, I believe more in hardcoding settings at both ends ASA and switch. It is when you start seeing errors on interfaces then you would want to hardcode duplex and speed at both ends to be safe. You could check interfaces stats at either end with show interfaces command on ASA side and show interface gigabitethernet0/48 on the switch and note traffic statistics such as crc, runts, etc.. at both ends.. you may also use "clear counters" on ASA and switch to clear old stats records from interfaces.

Rgds

Jorge

chicagotech Fri, 01/04/2008 - 17:26

Will try that sometimes next when no one uses the system. Will post back with the result. Thank you.

chicagotech Mon, 01/07/2008 - 13:46

Hi Jorge,

I re-configured both port to duplex full and speed 100MB. It seems to work. I disconnect the connection right now worry about any issues like last time. I will do more tests tomorrow. Which command I should use to troubleshoot if we have the some issues after re-connect the ASA to the switch?

Thank you.

Actions

This Discussion