I have a Cisco 5505, and I am having problem pinging the gateway on the outside. If was working fine when i just installed it and then stopped after a few hours.
I can see large number of 1334 switch ingress policy drops now.
The outside interface is connected to a Cisco Catalyst 2960G, with a vlan created between the gateway and the asa outside interface.
Gio/1 -vlan34 ---> service provider
gi0/2 -vlan 34 ---> asa 5505 outside e0/0 interface.
Gi0/3 -vlan 34 --> router
gi0/4 - vlan 34 --> PIX
The pix and router can ping the sp gateway with no problem.
Here is the interface configuration on the asa 5505
ip address 10.102.246.71 255.255.255.240
ip address xxxxxx 255.255.255.248
switchport access vlan 2
FW# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
Hardware is 88E6095, BW 100 Mbps
Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
Available but not configured via nameif
MAC address 0025.45fd.e466, MTU not set
IP address unassigned
1910 packets input, 141491 bytes, 0 no buffer
Received 56 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
1334 switch ingress policy drops
4 packets output, 256 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
0 rate limit drops
0 switch egress policy drops
I have checked there is no port security on the switch or the port is err-disabled on the switch.
Both ports on switch and asa are auto sensing and there is no problem of mismatch since there are no CRC.
Solved! Go to Solution.
Where are you trying to ping from? If you are trying to ping from the ASA,
it should work fine. However, if you try to ping from an internal client, it
may not work as you are missing the NAT configurations.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Please try the above configuration if you are trying to ping from inside
Hope this helps.
What kind of cable you are using between the ASA and the switch? Can you use
a crossover cable and see if that helps?
I did not try the duplex/speed hard coding on both sides, same thing. As you mentioned, there is a problem with the tagging.
I could have tried that.
Finally what i did, is to invert the vlans meaning vlan 1 - outside vlan 2 -- inside, so tagging on the outside and it works fine.
I will try your solution later and anyway thanks very much for your help guys.
I am having the same problem on the inside interface when i have inter-changed.
The asa e0/1 -inside is connected to the switch with vlan 34 in access mode but still switch
48578 switch ingress policy drops
Its a straight cable. I could change to cross but the catalyst is MDIX capable.
I think the problem is with vlan tagging or some sort. I have inserted the configuration vlan 1 is not oustside and vlan 2 is inside it works.
Hi ash !
i would recommend you to hardcode the speed and duplex on the asa and upstream switch as i have seen some issues with asa 5505 connecting to higher speed interfaces where it shows that the auto negotiation at full + 100 mbps but it drops packets because of higher speed interface on the other end. test it with using ping
If I understand your topology correctly, you have a 2960 connecting to a
router, a PIX, and the ASA. Are there any address conflicts? Can you make
sure that on ASA5505, only one port is connected to 2960 (no physical
loops)? Can you try to ping ASA from one of the other devices and check the
MAC address assigned for that IP?
The reason for switch ingress packet drops are :-
1> The port is not configured properly and the drops are incremented when a packet cannot be successfully forwarded within switch ports as a result these setting.
2> The namefi command was not configured on the vlan interface. if name if isnt configured , switching with the same vlan is still successful.
3> the vlan is shutdown.
4> an access port recieved an 802.1q tagged packet.
5> a trunk port recieved a tag that is not allowed or an untagged packet.
6> asa is connected to a cisco device or any other device that has ethernet keepalive.
7> The vlan only has one physical interface , but the dest of the packet does not match the mac add of the vlan and it is not the broadcast address.
I got the same problem, i have checked the MAC address of the vlan 1,and 36 inside and outside seems to be the same.
Anyways, I finally got it working by removing the vlans on the switchs to which is connected the inside and outside ASA 5505.
I am still encountering egress policy drops. The weird thing is that I cannot ping any interface though other trafic smtp ftp ssh is working. icmp is enable on the interface and I have also created an Acl to permit ICMP on the outside interface.
I will manage with that. Thanks guys for the support.
I have tried that.
I have also added for good measur, still nothing.
access-list outside01 permit icmp any any
acces-group outside01 in interface outside.
Ok, lets do one thing.. put a capture on the outside interface and see what
is happening with those ICMP packets.
access-list cap permit icmp any any
capture capout access-list cap interface outside
Please configure above two lines on the firewall, then try to ping somebody
on the outside. After it fails, please collect the output of "show capture
capout" and post it here.