Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2444
Views
10
Helpful
1
Replies

ASA 5508-X Interface Issue

BOZK
Level 1
Level 1

‎06-27-2020 01:00 PM - edited ‎06-27-2020 03:53 PM

Hello there,

 

We are in the process of building a brand new firewall cluster using two ASA 5508-X with Firepower Services. However, either I'm completely screwing something up or hit a bug.

 

Scenario: 2x ASA 5508-X

Softwaremanagemt: FMC version 6.5

Softwareversion on ASA-devices: FTD 6.4.0.9 (recommended)

 

Problem: I want to use interfaces 3/4/5 as a virtual switching interface (ie BVI). So I create the BVI using the webinterface of the FMC, adding my interfaces and then assigning an IP to the BVI (172.16.2.254/24). Then I hook up those interfaces to my switch and try to reach that IP. No reaction whatsoever.

 

As a test, I unplugged all cables from those interfaces (3/4/5) and hooked up my laptop directly to interface #4. Of course my laptop has an IP-address in that range (172.16.2.1/24). Wireshark tells me I'm trying to ARP but the ASA simply doesn't respond....which is weird because at this point I'm convinced Layer1 and Layer2 are completely correct (seeing as it's basically):

 

client PC <-----> Port4 on Active ASA.

 

I did 'deploy' and save the config so I know the ASA has the configuration deployed. SSH'ing into the ASA (the active one) and doing a 'show ip' I can see the IP address assigned to the BVI (btw I also tried removing the BVI and just assigning the IP straight to that specific interface port). I can send a ping to that IP from the ASA itself, but when I try to ping my laptop from the ASA the reply output shows '????' which seems to indicate it doesn't know how to get there. Which is of course weird, because the 'show route' command showcases that subnet as a directly connected network. Truly at a loss on what is going wrong here.

 

Previously to building my ASA-cluster and tinkering about with the functionality, I managed one of the ASA-devices directly from it's own webinterface and performed the exercise described above and it worked just fine...Is there some sort of bug or am I completely overlooking something?

 

Other interfaces (port-channels and subinterfaces on the other ports like 1/2,6/7/8) just work fine with their own subnets and whatnot (not overlapping of course).

 

 

--------------------------------------------------

UPDATE: FIXED

 

Turns out after creating the BVI, you need to assign a security zone to the individual interfaces. This I hadn't done.

1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎06-27-2020 10:16 PM

ASA working inside-outside (high, low) kind of concept.

 

FTD totally Zone-based Firewall, interface needs to attached to the zone.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card