asa 5520 sub interface issue

Unanswered Question
Aug 30th, 2010
User Badges:

Hi,

My ASA 5520 is version 8.2(1).

I configured two subinterfaces:


interface GigabitEthernet0/3.1
vlan 272
nameif WN
security-level 50
ip address 10.227.2.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3.2
vlan 275
nameif WN275
security-level 50
ip address 10.227.5.254 255.255.255.0
ospf cost 10

!


Users in vlan 272 work fine, but users in vlan 275 can't even ping the gateway 10.227.5.254.

I can't find anything wrong. Only one strange thing I noticed when I do a "sh int ip bri" is the METHOD is different, see below. For Gi0/3.2 it is "manual", rather than "config".


GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up


I guess if I can get that "manual" changed to "config", I will have a better chance to get vlan275 to work.

How can I do that? Why it is "manual"?


Thanks heaps.

Adam

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Tue, 08/31/2010 - 01:50
User Badges:
  • Cisco Employee,

The switch port that connects to the ASA interface gig0/3, I believe is a trunk port (dot1q), and please make sure that you allow VLAN 275 in that trunk port, and you also have VLAN 275 in your vlan database.


Would also like to find out if there is any ICMP policy configured on the ASA that might be blocking ping. Pls check "sh run icmp" output.

Adamzhang Tue, 08/31/2010 - 19:14
User Badges:

"Switchport trunk allowed vlan add 275" fixed the problem.

Thanks a lot Halijenn.


Adam

Nagaraja Thanthry Tue, 08/31/2010 - 06:26
User Badges:
  • Cisco Employee,

Hello,


What is the native vlan on that trunk? If the native vlan is 275, then

change the native vlan to something that is not used in the network (say

900). Since there is no native vlan concept in the firewall subinterface, it

will expect all packets to be tagged for the subinterfaces.


Hope this helps.


Regards,


NT

Allen P Chen Tue, 08/31/2010 - 19:48
User Badges:
  • Cisco Employee,

With regards to the "CONFIG" and "manual" keywords,


GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up


CONFIG indicates that the IP address for GigabitEthernet0/3.1 was loaded from the startup config.  Manual indicates that the device has not been reloaded since the IP address was assigned to GigabitEthernet0/3.2.  The same interface will display CONFIG once the device is reloaded.


http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1464786

Adamzhang Tue, 08/31/2010 - 19:53
User Badges:

Hi Allen,

Thanks for explaining. That is very good to know.

Adam

Actions

This Discussion