Hi all!

I have an ASA 5510 (routed mode) which I am trying to use to route traffic between VLANs on the Management Interface.

Currently:

Eth 0/0 - Outside seclevel 0 publicly addressed IP

Eth 0/1 - Inside seclevel 100 trunk to stack of Cat3560 switches all internally addressed

Eth 0/2 - DMZ seclevel 20 internally addressed single network

Eth 0/3 - Failover

Management 0/0 - No longer Management only and supports two subinterfaces.

Management 0/0.1 - VLANid 1: 10.1.1.0/24, IP 10.1.1.1/24

Management 0/0.2 - VLANid 130: 10.1.130/24, IP 10.1.130.1/24

Can't spring for another 3560 so I'm stuck using an HP Procurve 4000M.

The 4000M is connected via port A1 to the Management physical interface of the ASA.

VLANs defined on the 4000M are:

VLAN 1: Mgmt IP Address 10.1.1.2/24 GW: 10.1.1.1

VLAN 130: Mgmt IP Address 10.1.130.2/24 GW: 10.1.130.1

Port A1 is set to VLAN1 in TAGGED mode (802.1Q)

Port A1 is set to VLAN130 in TAGGED mode (802.1Q)

Port A2 is set to VLAN1 in un-tagged mode and hosts a client at 10.1.1.5/24 GW: 10.1.1.1

Port A3 is set to VLAN130 in un-tagged mode and hosts a client at 10.1.130.5/24 GW 10.1.130.1

ACL for each Man0/0.1 & .2:

Permit IP any any

No NAT on Man0/0 or sub-ints

VLAN1 - client can ping switch mgmt ip (10.1.1.2) and ASA Man0/0.1 but when pinging anything in VLAN130 ASA logs event "no route from to 10.1.1.5 from 10.1.130.1".

Both routes show up as "C"onnected in the sh route command, how is it possible the ASA doesn't have a route back?

VLAN130 - client can ping switch mgmt ip (10.1.130.2) BUT NOT ASA Man0/0.2 and not anything on VLAN1, no logs show.

My guess is a disconnect on the 802.1Q for VLAN130, but that doesn't explain the no route error when pinging from VLAN1 (the native VLAN of the switch).

The ASA is in production, but the 4000M is not so when I get a chance to anonymize my configs I'll attach them (probably Monday).

Any ideas?