Cisco ASA, Subinterfaces and Switch Issues - Incomplete arp cache.

marcosgeorgopoulos · ‎05-09-2010

Hi,

I have an ASA 5510 with an interface configured with a subinterface (vlan 10) and at the moment the physical interface is still aloowed to pass untagged traffic.

interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/2.10
mac-address 0026.0b31.1249
vlan 10
nameif int-VLAN10
security-level 90
ip address 192.168.10.1 255.255.255.0
!

both interfaces are up and up

Ethernet0/2 192.168.1.1 YES manual up up
Ethernet0/2.10 192.168.10.1 YES manual up up

I have a cisco 2960 plugged directly into the firewall ( into Ethernet0/2)

from the switch I can ping 192.168.1.1 but I cannot ping 192.168.10.1.

If I look at the ARP table on the switch I get the following

sw01#ping 192.168.10.1

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

sw01#show arp
Protocol Address          Age (min) Hardware Addr   Type   Interface
Internet 192.168.1.105           1   0050.56a8.2d2d ARPA   Vlan1
Internet 192.168.1.99            1   0026.98f6.24c0 ARPA   Vlan1
Internet 192.168.1.98            -   001f.26fa.f240 ARPA   Vlan1
Internet 192.168.10.2            -   001f.26fa.f241 ARPA   Vlan10
Internet 192.168.10.1            0   Incomplete      ARPA
Internet 192.168.10.10          13   0050.56a8.0004 ARPA   Vlan10
Internet 192.168.1.1            13   0026.0b31.1248 ARPA   Vlan1
sw01#

So as you can see it is listed as "Incomplete".

Now originally I thought the problem was the fact that the subinterface and the physical interface has the same MAC. So I changed the MAC on the subinterface...but same problem.

Here is some of my switch config below;

sw01#show vlan brief

VLAN Name                             Status    Ports
---- -------------------------------- --------- -------------------------------
1    default                          active    Gi0/1, Gi0/2, Gi0/17, Gi0/18, Gi0/20, Gi0/21, Gi0/22
10   VLAN0010                         active

I am trunking all VLANs accross all ports ( for testing purposes only)

sw01#show int trunk

Port        Mode             Encapsulation Status        Native vlan
Gi0/3       on               802.1q         trunking      1
Gi0/4       on               802.1q         trunking      1
Gi0/5       on               802.1q         trunking      1
Gi0/6       on               802.1q         trunking      1
Gi0/7       on               802.1q         trunking      1
Gi0/8       on               802.1q         trunking      1
Gi0/9       on               802.1q         trunking      1
Gi0/10      on               802.1q         trunking      1
Gi0/11      on               802.1q         trunking      1
Gi0/12      on               802.1q         trunking      1
Gi0/13      on               802.1q         trunking      1
Gi0/14      on               802.1q         trunking      1
Gi0/15      on               802.1q         trunking      1
Gi0/16      on               802.1q         trunking      1
Gi0/19      on               802.1q         trunking      1
Po1         on               802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/3       1-4094
Gi0/4       1-4094
Gi0/5       1-4094
Gi0/6       1-4094
Gi0/7       1-4094
Gi0/8       1-4094
Gi0/9       1-4094
Gi0/10      1-4094
Gi0/11      1-4094
Gi0/12      1-4094
Gi0/13      1-4094
Gi0/14      1-4094
Gi0/15      1-4094
Gi0/16      1-4094
Gi0/19      1-4094
Po1         1-4094

Port        Vlans allowed and active in management domain
Gi0/3       1,10-20
Gi0/4       1,10-20
Gi0/5       1,10-20
Gi0/6       1,10-20
Gi0/7       1,10-20
Gi0/8       1,10-20
Gi0/9       1,10-20
Gi0/10      1,10-20
Gi0/11      1,10-20
Gi0/12      1,10-20

Any help is very much appreciated.

cheers.

andrew.prince · ‎05-10-2010

You should create a SVI on the switch in VLAN10, for intervlan routing the switch needs to have interfaces in the repective VLANS.

HTH>

marcosgeorgopoulos · ‎05-10-2010

Hi Andrew,

Many thanks for your reply.

I'm not much of a switch person, could you please elaborate?

My plan was to control inter-vlan routing with my firewall. I do not wish to do it on my switch.

I will be creating multiple VLAN's on my switch aswell. Why do I need to create an SVI so my vlan traffic can reach the firewall?

Many thanks.

andrew.prince · ‎05-10-2010

Currently the server you are trying to connect is connected to the switch. The switchport interface is a trunk interface, when the server responds to the ping AS the switch port is a trunk port, the server CANNOT append a 802.1q tag into the frame. The switch will assume the frame is for vlan 1 - the native untagged vlan. VLAN 1 is 192.168.1.x the server is on 192.168.10.x in VLAN 10, this will not work.

If you do not want to use the switch for inter-vlan routing, remove ALL SVI's from the switch.

Ensure you have correctly specified the "Native" VLAN on the switch trunk interface connected to the ASA

Ensure your workstations & server switch ports are NOT trunk ports, and are in the correct VLAN's.

HTH>

Peter Paluch · ‎05-10-2010

Hello Andrew,

I believe that original author was asking about a slightly different issue. He has a trunk port on the switch connected to an ASA box. The interface on the ASA is configured both for the native VLAN 1 and for the VLAN 10 with a subinterface. On the switch, both SVIs for VLAN 1 and VLAN 10 are configured. Now, the switch is able to ping the ASA physical interface in VLAN 1 but it is unable to ping ASA subinterface in VLAN 10. He indicated that the ASA does not even appear to respond to ARP requests on VLAN 10 though it definitely should.

Marcos, can you verify that the VLAN 10 interface is up/up? Also, can you try to shutdown the VLAN 1 interface for a while and ping the ASA again? Note that shutting down the VLAN 1 interface may disable the IP connectivity to the switch until the SVI is reactivated.

Best regards,

Peter

marcosgeorgopoulos · ‎05-10-2010

Hi Guys,

Firstly, thank you both for your replies.

My server that is connected to the switch is an ESX Host. So I will have traffic from multiple VLAN's and untagged traffic(possibly) going through that port.

This is why it is trunked.

I can confirm that VLAN 10 is up and up on both the switch and the firewall.

At the moment I am accessing the devices remotely, so I am unable to shutdown VLAN1 because I'll lose access and not be able to ping.

I am going to head into the Datacenter where the lab equipment is tomorow and try what has been suggested.

However can you see anything incorrect from the switch configuration that could be causing this issue?

I am able to ping the VLAN 10 interface ( 192.168.10.2/24) from the VM on the ESX host. I just can't see past the switch. And as mentioned pinging form the switch to the Firewall subinterface (192.168.10.1) fails and I'm seeing Incomplete in the arp table.

cheers.

marcosgeorgopoulos · ‎05-11-2010

Hi Guys,

Good news ( well kind of ).

I removed the FW config from the inside interface completely and rebuilt it and as a result things are now working.

So whilst the result is good. I wish I knew the original cause.

Many thanks for your time.

cheers.

Android4255 · ‎01-20-2015

If you use nameif on the physical interface then you have to assign the interface to the native Vlan of your uplink.