The VLAN on the switch should not require an IP address, but having one on the switch can be useful for troubleshooting. I've never used the SG500 series but I assume they're fairly similar to other Catalyst switches. So putting the VLAN interface on the switch would allow you to verify that you can ping the addresses on the connected devices. Obviously that interface IP would have to use one of the public IPs you have, so you'd have to test each ASA's connectivity independently. But even without an IP address on the VLAN interface you can still check ARP tables and such, which is probably where I would start.
This may not make a difference to you, but you might consider putting the three switch ports into their own VLAN and leaving the other ports in the default state which I'm assuming is VLAN 1. That would isolate that segment from someone plugging into that switch directly. May not make a big difference since it's on the outside of the firewalls, but I would probably still do it myself.
In my initial configuration, I did have the three connections in their own VLAN. When I found that I had no connectivity, I removed all the configuration except the port configs, just to see of that was the issue. Once I get this working, I will place the three connections back into their own VLAN for the sake of security.
To summarize what I found last night:
1. The fast Ethernet connection from the Comcast box to the ASA is 100Mb full duplex according to the ASA and works just fine.
2. Placing a switch on that circuit, so that we can offer the second ASA the fast Ethernet feed from Comcast, killed our connectivity.
3. According to the switch, the Comcast fast Ethernet connection was 100MB, half duplex (and thus the other connections to the ASAs were also half duplex)
4. Changing the Comcast connection from a switchport to a trunk does not change this situation.
I have to admit that I am completely baffled at this time,
Does it work on both ASAs if you go directly from Comcast to the ASA? And if you put the switch in line connecting to only one ASA, does it still break the connectivity? Finally, if you use the switch elsewhere, does it work properly? Since you see a connection directly to Comcast, what happens if you configure the VLAN IP address on the switch, can you pass traffic from the switch to Comcast?
I agree, it sounds like a very strange situation. As I said, I've never worked with that particular line of switches, but I'd be very surprised if they had substantially different behaviors.
Then I'm unable to help with the different behavior since I haven't used one.
Just a thought but I do think it's worth checking with Comcast and making sure nothing on their end is causing this to fail. At my home, I was with another cable provide and had arranged to get two DHCP addresses from them, which I needed for a home router and a work VPN router. Everything worked great until Comcast bought the provider and it no longer worked. After several support calls, I finally talked to someone who told me they could only handle a single address, not the two I needed. Obviously your situation is different, but I think it's worth ruling that out as a possible cause.
[toc:faq]The ProblemOn traditional switches whenever we have a trunk
interface we use the VLAN tag to demultiplex the VLANs. The switch needs
to determine which MAC Address table to look in for a forwarding
decision. To do this we require the switch to do...
[toc:faq]Introduction:Netdr is a tool available on a RSP720, Sup720 or
Sup32 that allows one to capture packets on the RP or SP inband. The
netdr command can be used to capture both Tx and Rx packets in the
software switching path. This is not a substitut...
IntroductionOSPF, being a link-state protocol, allows for every router
in the network to know of every link and OSPF speaker in the entire
network. From this picture each router independently runs the Shortest
Path First (SPF) algorithm to determine the b...