STP problem between ASA and switch

boban-petrovic · ‎02-14-2012

I have following situation: Host connected to switch port 0/1 and address 192.168.139.38 255.255.255.252, and connection between switch port 0/2 and asa port 0/1. Relevant configuration is:

Switch config:

!

spanning-tree mode pvst

no spanning-tree optimize bpdu transmission

spanning-tree extend system-id

no spanning-tree vlan 131

!

interface FastEthernet0/1

switchport access vlan 131

switchport mode access

!

interface FastEthernet0/2

switchport access vlan 131

switchport mode access

!

ASA config:

!

interface Ethernet0/1

nameif line

security-level 100

ip address 192.168.139.37 255.255.255.252

!

In this scenario, host successfully ping ASA. But, as you can see, stp is disabled for vlan 131. If I enable it, my log shows:

Feb 14 09:05:59: %SPANTREE-7-RECV_1Q_NON_TRUNK: Received 802.1Q BPDU on non trunk FastEthernet0/2 VLAN131.

Feb 14 09:05:59: %SPANTREE-7-BLOCK_PORT_TYPE: Blocking FastEthernet0/2 on VLAN0131. Inconsistent port type.

switch# sh spa vlan 131 | inc Fa0/2

Fa0/2 Desg BKN*19 128.2 P2p *TYPE_Inc

If switch port is in access mode, then BPDU from ASA is got to be VLAN tagged, so I changed switch config to:

interface FastEthernet0/2

switchport trunk native vlan 131

switchport mode trunk

!

Feb 14 09:12:56: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1115 on FastEthernet0/2 VLAN131.

Feb 14 09:12:56: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/2 on VLAN0131. Inconsistent local vlan.

If I remove 'switchport trunk native vlan 131', I'm getting similiar error:

Feb 14 09:12:26: %SPANTREE-2-RECV_PVID_ERR: Received BPDU with inconsistent peer vlan id 1115 on FastEthernet0/2 VLAN1.

Feb 14 09:12:26: %SPANTREE-2-BLOCK_PVID_LOCAL: Blocking FastEthernet0/2 on VLAN0001. Inconsistent local vlan.

In both cases:

switch# sh spa vlan 131 | inc Fa0/2

Fa0/2 Desg BKN*19 128.2 P2p *PVID_Inc

So, this time port type was correct but VLAN ID was not.

I've tried to change config on ASA:

!

interface Ethernet0/1

nameif line2

security-level 100

no ip address

!

interface Ethernet0/1.1

vlan 131

nameif line

security-level 100

ip address 192.168.139.37 255.255.255.252

!

And setting on switch:

interface FastEthernet0/2

switchport trunk allow vlan 131

switchport mode trunk

!

And this time was good:

switch# sh spa vlan 131 | inc Fa0/2

Fa0/2 Desg FWD 19 128.2 P2p

But, in this case, my host can't ping ASA!

How to solve this?

cadet alain · ‎02-14-2012

Hi,

on the switch is vlan 131 the native vlan ?

if so can you use a physical interface on the asa to configure it as only dot1q tagged vlan is configured on subinterfaces.

Regards.

Alain

Don't forget to rate helpful posts.

boban-petrovic · ‎02-14-2012

Hi,

No, vlan 131 is not native on the switch. It's regular vlan, native vlan is VLAN1.

cadet alain · ‎02-14-2012

Hi,

why did you disable STP for this VLAN on the switch ?

Regards.

Alain

Don't forget to rate helpful posts.

boban-petrovic · ‎02-14-2012

At this moment I don't need STP because there are no loops in my network. If I enable STP on that VLAN, port 0/2 is going to blocking state, so I decided to disable stp, for that particular vlan. Now, I have a request for links and devices redundacy, so there will be loops in the network, and therefore I have to enable STP for all VLANs. That implicates that I have to solve this issue.

cadet alain · ‎02-14-2012

Hi,

ok so now the STP port is forwarding and still not possible to ping ASA from the host in that VLAN, ok ?

can you post the running from ASA.

Regards.

Alain

Don't forget to rate helpful posts.

boban-petrovic · ‎02-14-2012

ASA Version 7.2(3)

!

hostname asa

domain-name default.domain.invalid

names

dns-guard

!

interface Ethernet0/0

no ip address

!

interface Ethernet0/1

nameif line2

security-level 100

ni ip address

!

interface Ethernet0/1.1

nameif line

security-level 100

ip address 192.168.139.37 255.255.255.252

!

interface Ethernet0/2

no ip address

!

interface Ethernet0/3

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

boot system disk0:/asa723-k8.bin

ftp mode passive

clock timezone CET 1

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

access-list line_access_in extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list line_access_in extended permit icmp any any

access-list nonat extended permit ip 192.168.0.0 255.255.0.0 192.168.0.0 255.255.0.0

access-list capture-line extended permit ip any any

pager lines 24

logging enable

logging timestamp

logging buffer-size 16384

logging console debugging

logging buffered debugging

logging trap informational

logging asdm informational

mtu line 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-523.bin

no asdm history enable

arp timeout 14400

access-group line_access_in in interface line

!

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

!

class-map inspection_default

match default-inspection-traffic

!

policy-map global_policy

class inspection_default

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect pptp

!

service-policy global_policy global