07-27-2010 02:07 AM - edited 03-11-2019 11:16 AM
Hi,
I have recently added a layer2 leaf to my network configuring ASA's at each of my two locations. the remote site config is working fine but I have having major issues with my ASA5505. I use a tracked route to treat data going from my primary site to the remote site but the link keeps dropping.
Please see below some of my config.
interface Vlan1
nameif inside
security-level 100
ip address 192.168.16.10 255.255.255.0
!
interface Vlan2
nameif outside
security-level 0
ip address 83.147.148.134 255.255.255.252
!
interface Vlan3
nameif digiwebl2
security-level 90
ip address 192.168.160.10 255.255.255.0
!
interface Ethernet0/0
switchport access vlan 2
speed 100
duplex full
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Ethernet0/4
switchport access vlan 3
!
interface Ethernet0/5
!
interface Ethernet0/6
!
interface Ethernet0/7
!
access-list L2_access_in extended permit icmp 192.168.160.0 255.255.255.0 192.168.160.0 255.255.255.0
access-list L2_access_in extended permit ip 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-list L2_access_in extended permit icmp 192.168.20.0 255.255.255.0 192.168.16.0 255.255.255.0
access-group outside_access_in in interface outside
access-group L2_access_in in interface digiwebl2
route digiwebl2 192.168.20.0 255.255.255.0 192.168.160.254 255 track 1
route inside 172.31.60.0 255.255.255.0 192.168.16.254 1
route outside 0.0.0.0 0.0.0.0 83.147.148.133 1
route outside 192.168.20.0 255.255.255.0 83.147.148.133 254
if I plug into ether0/4 I cannot ping back to the 192.168.16.10 interface which leads me to think that there is a bug somewhere on the applicance.
I have just had the device upgraded to version 7.2(5)
thanks,
Paul.
Solved! Go to Solution.
07-27-2010 04:03 AM
Paul,
The interface should not go 'down' if a host is physically connected to the port. RIght after connecting the host to Eth0/4, can you ping 192.168.160.10? What is the output of 'show int vlan3' and 'show int eth0/4' at the time? Does your machine directly connected to Eth0/4 show any arp entries (on windows you can do 'arp -an' to see the arp cache).
- Magnus
07-27-2010 03:53 AM
Paul,
If you plug into Eth0/4 then you will be on Vlan 3 which is the 192.168.160.x subnet. While on this subnet, you will only be able to ping the interface facing you, the Vlan3 interface at 192.168.160.10. This is by design and summarized here:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/trouble.html#wpmkr1048373
Note For security purposes the security appliance does not support far-end interface ping, that is pinging the IP address of the outside interface from the inside network.
This applies to other to-the-box traffic like telnet/ssh/asdm as well. You can only communicate withthe interface facing you. When you are plugged into Eth0/4, can you ping 192.168.160.10? Do you have any 'icmp permit' statements? What does 'show run icmp' show?
- Magnus
07-27-2010 03:58 AM
Hi Magnus,
i believe part of my issue is that I cannot ping the interface facing me. how i recovered this yesterday and only for a short period of time was to move another interface into the VLAN 3 but again this went down shortly after. Would you have any idea why it would not be able to ping the 192.168.160.10 interface?
Paul.
07-27-2010 04:03 AM
Paul,
The interface should not go 'down' if a host is physically connected to the port. RIght after connecting the host to Eth0/4, can you ping 192.168.160.10? What is the output of 'show int vlan3' and 'show int eth0/4' at the time? Does your machine directly connected to Eth0/4 show any arp entries (on windows you can do 'arp -an' to see the arp cache).
- Magnus
07-27-2010 05:42 AM
Strange thing is I cannot ping the interface when directly connected to ether0/4
Arp on the laptop returns an empty mac-address field. all Zero's.
5505Crecora# sh int vlan 3
Interface Vlan3 "digiwebl2", is up, line protocol is up
Hardware is EtherSVI
MAC address 0024.9740.0af7, MTU 1500
IP address 192.168.160.10, subnet mask 255.255.255.0
Traffic Statistics for "digiwebl2":
46446 packets input, 7095832 bytes
40823 packets output, 10948114 bytes
1254 packets dropped
1 minute input rate 0 pkts/sec, 80 bytes/sec
1 minute output rate 0 pkts/sec, 110 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 83 bytes/sec
5 minute output rate 0 pkts/sec, 122 bytes/sec
5 minute drop rate, 0 pkts/sec
5505Crecora# sh int ether0/4
Interface Ethernet0/4 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 0024.9740.0af3, MTU not set
IP address unassigned
78844 packets input, 10359034 bytes, 0 no buffer
Received 7 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
32373 switch ingress policy drops
40843 packets output, 11718191 bytes, 0 underruns
41 output errors, 39 collisions, 0 interface resets
0 babbles, 0 late collisions, 30 deferred
0 lost carrier, 0 no carrier
0 input reset drops, 0 output reset drops
0 rate limit drops
0 switch egress policy drops
Rgds,
Paul.
07-27-2010 06:20 AM
Hello,
From your output, it seems like the interface Ethernet 0/4 is in half dulpex mode. This looks more like a physical layer issue. What kind of Ethernet cable you are using? Could you please try straight cable instead of crossover (if you are using crossover)? Also, check the speed/duplex settings on the laptop and make sure that they are set to auto. If we can fix the physical layer issue, I guess the other issues will get fixed automatically.
Hope this helps.
Regards,
NT
07-27-2010 07:06 AM
Hi,
I just got a reply from the NOC at my SP regarding the layer 2 supplied and I think this may explain it however not quite sure how to get around it.
"Both connections to our switch on site with you in Limerick should be set to 100mbit full duplex with auto-negotiation turned off.
Both the internet and the layer2 connections are presented as access ports on the switch on site with you in Limerick, so there should be no vlan tagging presented to our switch on either port."
Paul.
07-27-2010 07:55 AM
ok! the physical side of things is now sorted however a sh conn address 192.168.16.57 (My IP) is showin paths out over the VPN still but some traffic is going up the layer2.
I need the vpn as a backup so i dont want to take it down. can i clear out the connections learned my the ASA so the tracked route will take preference?
Paul.
07-28-2010 02:20 AM
Ok! I can answer this one now myself.
Once the ping issue from the interface back to the Firewall interface was resolved there was still little or no utilization of the layer2 pipe. The reason for this was that all users were working from previously learned paths which in this case was the VPN connection. this was identified through the
"sh conn address 192.168.16.57" - My IP address. "sh conn" showed that all other users were using VPN also.
I issued a "clear conn all" and this dropped the ASA connection momentarily but it enforced the tracked route entry in the firewall and now over 90% of my traffic is using the Layer2.
Magnus thanks for your assistance with the MAC issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: