cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4379
Views
0
Helpful
21
Replies

Help. Changing subnet mask looses connectivity.

NInja Black
Level 1
Level 1

HI,

 

 I know this is basic but is giving me a lot of head ache.

I had a /30 between the Router(3925)  and the ASA(5515).

Installed EHWIC on the router to support ASA failover.

I loose connection when I change the mask at /29.

 

So currently the vlan interface at the router has address 10.xx.xx.xx/30 and ASA interface has 10.xx.xx.xx/29.

This works fine but the moment I change router's mask to /29 it looses connection.

 

Cant figure out why and I have checked all I could.

- Did shut/ no shut on the interface

- Speed/Duplex settings are set to auto both sides.

 

  Its frustrating. Please help.

1 Accepted Solution

Accepted Solutions

so you are using a default route to the firewall from the ASA, what do you have for routing on the router?  I think you mentioned EIGRP.

the only thing i can think of with out looking at the configs on both sides is maybe you have a static route on the router?

how's the TAC going?

 

on your router are you using the ip default-gateway?

 

 

View solution in original post

21 Replies 21

i can think of 2 things

are the ip addresses you are using in the new /29 on the same subnet. <-- just checking

could you have an arp issue?

did you shut/no shut both sides?

if so try clearing the arp.

I did try shut/no shut but only on the router side. Will do it both sides.

 

Also clearing ARP should make it work. Didn't occur to me until u suggested.

Have to do it after 9pm. Will let you know how it goes.

 

Thanks!!!

How did it go?

I am at the office right now. Tried everything in the last 30 mts. same thing.

Its frustrating.

- I cleared arp on both the firewall and the router.

- I shut/no shut both interfaces

- Even restarted both the devices with there ips 10.xx.xx.1/29 10.xx.xx.2/29. Nothing.

 

I changed just the router ip to 10.xx.xx.2/30 and it works. ???

I am at the office. If you have any ideas please suggest.

Do you have a firewall rule blocking something on the new subnet?

What are you using for routing? Does it match with your new subnet?

Does the interface show as up?

Yeah the interface shows up. Thats another thing I didn't understand.

 

Also I am using EIGRP. When I do a tracert it seems to jump to its EIGRP neighbor instead of going to the directly connected route. I didn;t update the subnet on the eigrp neighbors but still shouldn't the connnected route be priority?

 

Did a ' sh ip ro' and the subnet shows directly connected.

 

Have to wait on the TAC case as the support for that office expired 2 months back. Just when I needed it. Will be getting it renewed asap.

Last thing before i LAB this

can you ping the locally connected interface of the ASA?

if your router is 192.168.1.1/30 and your ASA is 192.168.1.2/30

can you ping 192.168.1.2 from the router?

if you can can you see in the arp table the correct mac for 192.168.1.2?

if you can't do you have anything setup that could be blocking it?

you say it's for redundancy, could there be anything in that config that wouldn't work for a /29 address?

ASA: 192.168.1.1/30

Router: 192.168.1.2/30

 

192.168.1.1/29 --- 192.168.1.2/30  > Pings (interface up)

192.168.1.1/29 --- 192.168.1.2/29  > Doesn't ping (interface up)

 Can't think of anything thats blocking this.

 

I really appreciate your help in this Chris. Thanks!!!

Can you see the counters on the interface going up when you ping?

if so is on the ingress or egress?

Do you have any static routes?

If you have a static route that's more specific going somewhere else it might be causing a problem 

Chris,

Pasting below relevant config of both the router and the ASA.

 

Router

interface Vlan10
 description Router_FW1_FW2
 ip address 10.xx.xx.2 255.255.255.252
 ip access-group 120 in
 ip nat inside
 ip virtual-reassembly in
!

 

interface GigabitEthernet0/0/0
 description ASA_Primary
 switchport access vlan 10
 no ip address
!

access-list 120 permit ip any any

 

ASA Config

 

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 ip address 10.xx.xx.1 255.255.255.248
!

route outside 0.0.0.0 0.0.0.0 10.xx.xx.2 1

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: