Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5933
Views
11
Helpful
5
Replies

asa 5520 sub interface issue

Adamzhang
Level 1
Level 1

‎08-30-2010 11:43 PM - edited ‎03-11-2019 11:32 AM

Hi,

My ASA 5520 is version 8.2(1).

I configured two subinterfaces:

interface GigabitEthernet0/3.1
vlan 272
nameif WN
security-level 50
ip address 10.227.2.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3.2
vlan 275
nameif WN275
security-level 50
ip address 10.227.5.254 255.255.255.0
ospf cost 10

!

Users in vlan 272 work fine, but users in vlan 275 can't even ping the gateway 10.227.5.254.

I can't find anything wrong. Only one strange thing I noticed when I do a "sh int ip bri" is the METHOD is different, see below. For Gi0/3.2 it is "manual", rather than "config".

GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up

I guess if I can get that "manual" changed to "config", I will have a better chance to get vlan275 to work.

How can I do that? Why it is "manual"?

Thanks heaps.

Adam

Labels:
0 Helpful
5 Replies 5

Jennifer Halim
Cisco Employee
Cisco Employee

‎08-31-2010 01:50 AM

The switch port that connects to the ASA interface gig0/3, I believe is a trunk port (dot1q), and please make sure that you allow VLAN 275 in that trunk port, and you also have VLAN 275 in your vlan database.

Would also like to find out if there is any ICMP policy configured on the ASA that might be blocking ping. Pls check "sh run icmp" output.

Adamzhang
Level 1
Level 1
In response to Jennifer Halim

‎08-31-2010 07:14 PM

"Switchport trunk allowed vlan add 275" fixed the problem.

Thanks a lot Halijenn.

Adam

0 Helpful

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-31-2010 06:26 AM

Hello,

What is the native vlan on that trunk? If the native vlan is 275, then

change the native vlan to something that is not used in the network (say

900). Since there is no native vlan concept in the firewall subinterface, it

will expect all packets to be tagged for the subinterfaces.

Hope this helps.

Regards,

NT

0 Helpful

Allen P Chen
Level 5
Level 5

‎08-31-2010 07:48 PM

With regards to the "CONFIG" and "manual" keywords,

GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up

CONFIG indicates that the IP address for GigabitEthernet0/3.1 was loaded from the startup config.  Manual indicates that the device has not been reloaded since the IP address was assigned to GigabitEthernet0/3.2.  The same interface will display CONFIG once the device is reloaded.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1464786

Adamzhang
Level 1
Level 1
In response to Allen P Chen

‎08-31-2010 07:53 PM

Hi Allen,

Thanks for explaining. That is very good to know.

Adam

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card