09-14-2020 04:32 AM
I'm a bit stumped with this, just standing up a new, (to me), 5508-x pair in HA.
Managment interface is up and I can SSH / ASDM to it fine, I can ping the mgmt interface both from the same network and from a remote network with no issues - there is a single route for the remote network via the mgmt interface.
However if I try to ping any device or send any traffic from the firewall to something on the management network, the firewall routes it via the outside interface.
There are no routes on the firewall other than the default 0.0.0.0 0.0.0.0 outside. The face that the mangement network is a connected interface should make this inconsequential.
I've tred with and without :
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
to no effect
Firewall is currently running 9.8(4)22 which I have a few 5508 on without this issue, reboots or failing over also have no effect - not that i'd expect them to.
anyone have any ideas?
09-14-2020 04:40 AM
What i understand from thread, you like your Management Traffic back to using Mananget Interface instead of using default route outside. - is this correct ?
as per the your config, you have setup default route outside that is prefered route.
if you like to have manangement interface need to be return from same interface you need to have static IP route entry refer below example guide :
09-14-2020 04:46 AM - edited 09-14-2020 04:51 AM
Thanks balaji.bandi,
Why would I need to add a route for a directly connected network? To ram the point home further, if you try to add one anyway it errors with
ERROR: Cannot add route, connected route exists
EDIT for clarity, the mangement interface is on a /24 for example 192.168.100.0/24 with an IP of 192.168.100.100. From the firewall if I try to ping another device on this subnet i.e. 192.168.100.15 it's routed outside.
However there are no routes in the routing table for 192.168.100.15, only a default route out learned via OSPF so a much much higher AD than the directly connected interface, and also not a good prefix match.
09-14-2020 04:43 AM
I just tried removing my OSPF config to rule that out and traffic is now being routed via the mgmgt interface for that subnet.
But I still don't understand why this is occuring as there are not any longer prefix matches in the routing table than the directly connected interface!
09-14-2020 05:20 AM
Thanks for the input, my input based on the post - now we come to know you running also OSPF
so to understand better can you provide below information :
running configuration
routing information
management interface run differnet routing table, have you tried sourcing interface source ?
is the management interface part of OSPF processs ?
what is gateway of the device in the network 192.168.100.X /24 ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide