Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1341
Views
5
Helpful
4
Replies

ASA 5508-x unable to ping from Mgmt interface - routed outside

richard.priest
Level 1
Level 1

‎09-14-2020 04:32 AM

I'm a bit stumped with this, just standing up a new, (to me), 5508-x pair in HA.

 

Managment interface is up and I can SSH / ASDM to it fine, I can ping the mgmt interface both from the same network and from a remote network with no issues - there is a single route for the remote network via the mgmt interface.

 

However if I try to ping any device or send any traffic from the firewall to something on the management network, the firewall routes it via the outside interface.

 

There are no routes on the firewall other than the default 0.0.0.0 0.0.0.0 outside. The face that the mangement network is a connected interface should make this inconsequential.

 

I've tred with and without :

 

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

 

to no effect

 

Firewall is currently running 9.8(4)22 which I have a few 5508 on without this issue, reboots or failing over also have no effect - not that i'd expect them to.

 

anyone have any ideas?

0 Helpful
4 Replies 4

balaji.bandi
Hall of Fame
Hall of Fame

‎09-14-2020 04:40 AM

What i understand from thread, you like your Management Traffic back to  using Mananget Interface instead of using default route outside. - is this correct ?

 

as per the your config, you have setup default route outside that is prefered route.

 

if you like to have manangement interface need to be return from same interface you need to have static IP route entry refer below example guide :

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/ip.html#wp1102439%0A

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

richard.priest
Level 1
Level 1
In response to balaji.bandi

‎09-14-2020 04:46 AM - edited ‎09-14-2020 04:51 AM

Thanks balaji.bandi,

 

Why would I need to add a route for a directly connected network? To ram the point home further, if you try to add one anyway it errors with

 

ERROR: Cannot add route, connected route exists

 

EDIT for clarity, the mangement interface is on a /24 for example 192.168.100.0/24 with an IP of 192.168.100.100. From the firewall if I try to ping another device on this subnet i.e. 192.168.100.15 it's routed outside.

 

However there are no routes in the routing table for 192.168.100.15, only a default route out learned via OSPF so a much much higher AD than the directly connected interface, and also not a good prefix match.

richard.priest
Level 1
Level 1

‎09-14-2020 04:43 AM

I just tried removing my OSPF config to rule that out and traffic is now being routed via the mgmgt interface for that subnet.

 

But I still don't understand why this is occuring as there are not any longer prefix matches in the routing table than the directly connected interface!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎09-14-2020 05:20 AM

Thanks for the input, my input based on the post - now we come to know you running also OSPF

 

so to understand better can you provide below information :

 

running configuration

routing information

management interface run differnet routing table, have you tried sourcing interface source ?

is the management interface part of OSPF processs ?

 

what is gateway of the device in the network 192.168.100.X /24 ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card