Unable to communicate with the sub-interface created on PIX 525

knavuda · ‎01-07-2008

Hi All, We have a PIX 525 running 7.2(2) image with 4 Physical interfaces running a UR license. On one of the interface we have already created 4 sub-interfaces, each assigned to different vlans. This has been working fine. We created an additional sub-interface. Initialy we were unable to communicate with the additional sub-interface and other intarfaces were working fine. We were not able to even ping the ip address that was assigned to the sub-interface. Show interface command output would show that it is transmitting.

While this is situation, problem started affecting already working sub-interfaces also. We lost connectivity to 2 of the working sub-interfaces.

After rebooting the FW, all seemed to be working fine for 5 minutes (including the newly created sub-interface), but one of the already working sub-interface stopped responding after 5 - 10 mins. We were observing that the newly created sub-interface is working fine still.

We removed the newly created sub-interface from configurations and rebooted the FW again and found that it is working fine. So the problem looked to be with he newly created sub-interface.

As per the documentation, PIX 525 with UR can support upto 100 Vlans.

Are there any limitations on number of vlan per physical interface? If yes, what is the maximum no of vlans allowed / recommended?

Regards..

Krishnamurthi Navuda.

JORGE RODRIGUEZ · ‎01-07-2008

Hi, first time I see this problem posted,, Im not aware of vlan limitations per interfaces if you read 100 VLANs you can have subinterfaces combination between physical interfaces as long you don't exceed 100 vlans, that is how I understand it unless is different otherwise someone can correct me.

Can you post pix config, strip out public IPs.. and if you could post trunk port configuration from switch end too.

Rgds

Jorge

Jorge Rodriguez

knavuda · ‎01-07-2008

Hi, here is the configurations of the PIX and switch...

PIX Config:-

---------------------

!

interface Ethernet3

no nameif

no security-level

no ip address

!

interface Ethernet3.1

vlan 225

nameif xxx

security-level 30

ip address x.x.x.x

!

interface Ethernet3.2

vlan 205

nameif xxx

security-level 40

ip address x.x.x.x

!

interface Ethernet3.3

vlan 207

nameif xxx

security-level 35

ip address x.x.x.x

!

interface Ethernet3.5

vlan 204

nameif xxx

security-level 60

ip address x.x.x.x

!

Switch Config:-

-----------------

interface FastEthernet0/14

switchport mode trunk

!

Regards...

Krishnamurthi Navuda.

JORGE RODRIGUEZ · ‎01-07-2008

Have you tried making switchport trunk more specific in passing vlans. I suspect becuase your trunk port is passing all vlans your subinterfaces have many VLAN ID errors, for sake of troubleshooting I would recommend making switchport0/14 trunk more specific.

As said before first time I see this, suspect there must be config discrepancy somewhere. Don't know whether making a cleaner trunk config may resolve the problem but you could atleast rule out layer 2 config.

create your new vlan in the switch and be more specific in allowed vlans , then make your new subinterface in pix. Once you have all created ping each subinterface from the pix command line.

On switch

interface fastethernet0/14

switchport trunk encapsulation dot1q

switchport trunk allowed vlan 204,205,207,225,xxx

where xxx is the new vlan you have created in side and PIX.

Rgds

Jorge

Jorge Rodriguez

knavuda · ‎01-07-2008

Will try this and update.

Regards..

Krishnamurthi Navuda.