Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

asa 5520 sub interface issue

Hi,

My ASA 5520 is version 8.2(1).

I configured two subinterfaces:

interface GigabitEthernet0/3.1
vlan 272
nameif WN
security-level 50
ip address 10.227.2.254 255.255.255.0
ospf cost 10
!
interface GigabitEthernet0/3.2
vlan 275
nameif WN275
security-level 50
ip address 10.227.5.254 255.255.255.0
ospf cost 10

!

Users in vlan 272 work fine, but users in vlan 275 can't even ping the gateway 10.227.5.254.

I can't find anything wrong. Only one strange thing I noticed when I do a "sh int ip bri" is the METHOD is different, see below. For Gi0/3.2 it is "manual", rather than "config".

GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up

I guess if I can get that "manual" changed to "config", I will have a better chance to get vlan275 to work.

How can I do that? Why it is "manual"?

Thanks heaps.

Adam

5 REPLIES
Cisco Employee

Re: asa 5520 sub interface issue

The switch port that connects to the ASA interface gig0/3, I believe is a trunk port (dot1q), and please make sure that you allow VLAN 275 in that trunk port, and you also have VLAN 275 in your vlan database.

Would also like to find out if there is any ICMP policy configured on the ASA that might be blocking ping. Pls check "sh run icmp" output.

New Member

Re: asa 5520 sub interface issue

"Switchport trunk allowed vlan add 275" fixed the problem.

Thanks a lot Halijenn.

Adam

Cisco Employee

Re: asa 5520 sub interface issue

Hello,

What is the native vlan on that trunk? If the native vlan is 275, then

change the native vlan to something that is not used in the network (say

900). Since there is no native vlan concept in the firewall subinterface, it

will expect all packets to be tagged for the subinterfaces.

Hope this helps.

Regards,

NT

Cisco Employee

Re: asa 5520 sub interface issue

With regards to the "CONFIG" and "manual" keywords,

GigabitEthernet0/3.1       10.227.2.254    YES CONFIG up                    up 
GigabitEthernet0/3.2       10.227.5.254    YES manual up                    up

CONFIG indicates that the IP address for GigabitEthernet0/3.1 was loaded from the startup config.  Manual indicates that the device has not been reloaded since the IP address was assigned to GigabitEthernet0/3.2.  The same interface will display CONFIG once the device is reloaded.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s3.html#wp1464786

New Member

Re: asa 5520 sub interface issue

Hi Allen,

Thanks for explaining. That is very good to know.

Adam

1927
Views
5
Helpful
5
Replies
CreatePlease to create content