topic Re: Can"t ping sub interface in Network Security

Can"t ping sub interface

Jean Paul Enerst — Mon, 07 Oct 2019 23:20:38 GMT

Hi Gents,

This is an easy one, but i can"t seem to figure it out. I have a pair of 5515X in failover with three interfaces(inside, outside, DMZ) and a sub-interface(uses the DMZ as main). So i use the DMZ interface to create a sub-interface, i had noticed that the Sub-interface did not have a standby IP when i added that standby IP... Failover status of the FW failed, i have to remove the standby IP, perform a no interface-monitoring , and reset the failover.

I have double-checked everything connected to the secondary devices, but still no luck! Everything works as expected when the primary device is running, but if a failover occurs, devices connected to the sub-interface subnet can"t pass traffic! Below is the configuration...

interface GigabitEthernet0/2
speed 1000
duplex full
nameif dmz
security-level 50
ip address 192.168.xxx.1 255.255.255.0 standby 192.168.xxx.2
!
interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0
!

Thanks,

Re: Can"t ping sub interface

luis_cordova — Mon, 07 Oct 2019 23:49:37 GMT

Hi @Jean Paul Enerst

When you configure subinterfaces, the physical interface should not have addressing. Maybe, that's why only that interface answers you. I suggest you remove the address from the physical interface and assign that address to another subinterface, enabling the corresponding vlan on the switch.

https://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/

Regards

Re: Can"t ping sub interface

balaji.bandi — Tue, 08 Oct 2019 07:59:50 GMT

instead, you can try below : (make sure other switch port config trunk to allow the vlans for the subinterface)

interface GigabitEthernet0/2

no nameif

no ip address

no shutdown

interface GigabitEthernet0/2.xx
speed 1000
duplex full
nameif dmz
security-level 50
!
interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0
!

Other note I do not believe failover is recommended to configure using subinterfaces.

Look for some recommendation document.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_overview.html#wp1077627

Re: Can"t ping sub interface

Marius Gunnerud — Tue, 08 Oct 2019 21:09:28 GMT

Although it is not common, using an IP on the physical interface while also having a subinterface should still work. I would suggest trying to add a standby IP to the sub interface. I think the issue might be that MAC address is still hung up on the primary which has "failed". Adding a standby IP will ensure that the primary MAC will follow to the secondary in the case of failover.

interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0 standby 172.16.x.2

Re: Can"t ping sub interface

Jean Paul Enerst — Wed, 09 Oct 2019 14:33:07 GMT

Thanks Marius. But i have tried that, and i think that iève mentioned that ebove.

When i added the standby IP, failover status changes for a few sec then failed. The secondaray device aka standby device can ping that IP but i can"t ping the active IP for that interface. I have double check the trunk ports and stuff it seems all good to me.

I will try the above suggestion because they have not tried them yet, but i think the issue might be something else.

Thank you all, will update soon.