topic New WAN outside interface doesn't work! in Network Security

New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 08:54:53 GMT

Hello,

At my work we have buy new wan connection.

The topology is

SW_Core ----->FTD---->Outside wan1-2-3

in the SW_Core are 3 vlan:
WAN1

WAN2

WAN3

From the FTD,
WAN1 ----> can ping wan1 gw

WAN2 ---> can ping wan2 gw

WAN3 ---> cannot ping wan3 gw.

and i don't now why?

any idea?

Regards,

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 09:13:19 GMT

I would check the ARP entries on the FTD, and if it shows incomplete I would try to reach out to the ISP. I personally experienced a couple of similar issues where the ISP was adding a VLAN ID tag on the interface connected to the firewall. In that case I had to create the sub-interfaces before I got it to work. Another thing you can try to do is to connect the WAN3 ISP router directly to the firewall and see if that makes any difference, if so, the issue might be related to something missing on the switch.

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 10:08:38 GMT

Hi @Aref Alsouqi ,

Thank you for the reply, I have a test with my laptop I have put on VLAN wan3 assigned static public IP and it worked. Or in the FTD is another question? I try arp but nothing show on FTD CLI.

Re: New WAN outside interface doesn't work!

MHM Cisco World — Fri, 30 Sep 2022 10:58:04 GMT

Yes but laptop send untag traffic, FTD send tag traffic and SW can't know that tag FTD add.
here you must sure the tag is match and trunk all new WAN VLAN.

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 11:29:21 GMT

Hi @MHM Cisco World ,

yes, and all the VLAN WANs have the same tag trk1.

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 11:42:11 GMT

Did you connect your laptop directly to the WAN3 router or to a switch port in WAN3 VLAN? if you connected it directly to the WAN3 router then it would mean there is some issues on the WAN3 VLAN switch ports configs. Could you please share the sanitized switch ports configs and a quick draft diagram for review?

If you have a single physical connection between the FTD and the switch, then the FTD must have the VLAN IDs assigned to its sub-interfaces that match whatever VLAN IDs you configured on the switch. And from the switch ports perspective, the link between the switch and the FTD must be configured in trunk allowing all those three VLANs, and then the switch ports connected to the ISP routers must be configured in access mode and placed into their respective VLAN.

An exception of the above, would be if you don't configure a VLAN ID on the FTD for one of those three links, and you decide to use the main physical interface for it, then in that case you must configure the native VLAN on the switch trunk link to be the VLAN that is matching whatever you configured on the FTD main interface. For example, you can have WAN1 and 2 configured as sub-interfaces on the FTD, where VLAN tagging is required, and WAN3 configured on the physical interface of the FTD where tagging is not required.

Re: New WAN outside interface doesn't work!

MHM Cisco World — Fri, 30 Sep 2022 12:01:04 GMT

can you share the config of SW and FTD ?

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 12:21:21 GMT

The configuration is:

FTD-----SWCORE-----WAN1-2-3

FTD have configured 3 interfaces

G0/1 ---> WAN1

G0/2 ---> WAN2

G0/3 ---> WAN 3

in the switch they are connected to port with vlan wan1-2-3 and and they configured like access and tagged with trunk. see the photos

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 12:29:13 GMT

Are you using a dedicate interface on the FTD (as per dia.png file) for each circuit? how did you configure the firewall ports? as sub-interfaces or physical? Based on the dia.png diagram I don't think you need to worry about tagging/trunk at all. You can just configure the firewall physical interfaces and set the switch ports where the firewall interfaces are connected in access mode in their respective VLANs.

Re: New WAN outside interface doesn't work!

MHM Cisco World — Fri, 30 Sep 2022 12:40:10 GMT

are the issue with WAN-2 (VLAN31)?
if yes
then you need to make VLAN UP/UP
and you can use no autostate to make VLAN UP always
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/41141-188.html

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 12:43:37 GMT

In the FTD i am using physical interfaces and on the sw_core they are configured access port with respective Vlans.

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 12:44:45 GMT

The WAN2 is down because the secondary FTD is upgrading status.

And we have ARUBA switches.

Re: New WAN outside interface doesn't work!

MHM Cisco World — Fri, 30 Sep 2022 14:09:19 GMT

just one more think to check
you config VLAN in SW with for example port g0/x
are you sure the FTD is connect to this port ?

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 12:57:09 GMT

Mmm, can't think of why it shouldn't work then. Can you please try to connect your laptop to a switch port in WAN3 VLAN and try to ping the FTD, and ping the laptop from the FTD?

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 13:33:27 GMT

yes I can ping from the laptop to FTD and vice-versa, also from the laptop I can ping the gw of the isp router, but from FTD I cannot and i don't know why this?

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 14:44:15 GMT

Interesting! Can you please enable ARP debugs on the FTD and try to ping the ISP IP and share the ARP debug output?

Re: New WAN outside interface doesn't work!

ipv6x — Fri, 30 Sep 2022 15:28:48 GMT

arp-send: arp request built from 10.10.1.3 a03d.6eb8.e77e for 10.10.1.4 at 15:24:04.025

arp-in: response at outside_colt from 10.10.1.3 d4eb.6874.0780 for 10.10.1.4 d4eb.6874.0780 having smac d4eb.6874.0780 dmac ffff.ffff.ffff
arp-send: arp request built from 10.10.1.3 a03d.6eb8.e77e for 10.10.3 at 15:24:04.905

this 10.10.1.4 is ISP GW

Re: New WAN outside interface doesn't work!

Aref Alsouqi — Fri, 30 Sep 2022 17:23:25 GMT

From the output I see the ARP gets resolved so it should work. I would try to connect the FTD interface directly to the WAN3 router and see if it works, or at least try to clear the ARP table on the router by disconnecting the cable that is connected to the switch.

Re: New WAN outside interface doesn't work!

MHM Cisco World — Fri, 30 Sep 2022 17:30:32 GMT

Now every this is OK ARP & MAC (as you mention it is correct)
still there is only one think,
the source of ping are it FTD interface connect to WAN3 or other interface ?
please notice this is FTD not router so it behave is different

Re: New WAN outside interface doesn't work!

ipv6x — Mon, 03 Oct 2022 06:52:59 GMT

The interface of FTD is connected in core switch because i can't connect directly, the ISP router is in another room CED.