cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6311
Views
5
Helpful
2
Replies

ASA 5520 (ifc-classify) Virtual firewall classification failed

bellaichef
Level 1
Level 1

Hi,

 

I have have an ASA 5520 wokring in multiple context for years now.

Till now the first context was using the interfaces 0/0 and 0/1 and the second context the interfaces 0/2 and 0/3

 

But recently I had to add another lan to this configuration but, because of the lack of available interfaces I had to do

small changes in the system context to add new interfaces in the 2 other contexts.

 

This is how it is now :

 

interface GigabitEthernet0/0
!
interface GigabitEthernet0/1
!
interface GigabitEthernet0/2
!
interface GigabitEthernet0/2.200
 description Vlan Telephony
 vlan 200
!
interface GigabitEthernet0/2.300
 description Vlan INSIDE
 vlan 300
!
interface GigabitEthernet0/3
!
interface Management0/0
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 65535
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0

admin-context admin
context admin
  config-url disk0:/admin.cfg
!

context ISP2
  description ISP2-Context
  allocate-interface GigabitEthernet0/2.200 Telephony
  allocate-interface GigabitEthernet0/2.300 Inside
  allocate-interface GigabitEthernet0/3 Outside
  config-url disk0:/ISP2.cfg
!

context ISP1
  descrption ISP1-Context
  allocate-interface GigabitEthernet0/0 Inside
  allocate-interface GigabitEthernet0/1 Outside
  allocate-interface GigabitEthernet0/2.200 Telephony
  config-url disk0:/ISP1.cfg
!

prompt hostname context
no call-home reporting anonymous
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment

Just doing this and after reapplying configuration on the ISP2 context (because I had to remove the physical interface for two vlans interfaces in this context) The historical config is working, and I can see the Telephony interface in both context.

 

Traffic from inside to outside is working and provided services to externals is still wokring through the context.

 

Now regarding the Telephony interfaces, any ressources in the same vlan can ping them but nothing can go through the FWs using these interface as gateway and packet tracer give me  a nice :

 

(ifc-classify) Virtual firewall classification failed

 

There is clearly something that I do not understand but I can't find what. An help would be very appreciated.

 

This is the config (not all but everything related to the interface and nat) of the first context :

 

!
interface Inside
 nameif Inside
 security-level 100
 ip address 10.1.100.253 255.255.255.0
!
interface Outside
 nameif Outside
 security-level 0
 ip address 155.175.237.133 255.255.255.248
!
interface Telephony
 nameif Telephony
 security-level 50
 ip address 10.1.200.253 255.255.255.0
!
object network Default-Nat
 subnet 10.1.0.0 255.255.128.0
object network XX-VRIPB-01
 host 10.1.200.16
object network Telephony-DMZ
 subnet 10.1.200.0 255.255.255.0

object network Default-Nat
 nat (Inside,Outside) dynamic interface
object network XX-VRIPB-01
 nat (Telephony,Outside) static 155.175.237.134
object network Telephony-DMZ
 nat (Telephony,Outside) dynamic interface  (tried to put static 155.175.237.134 instead but did not worked either) 

route Outside 0.0.0.0 0.0.0.0 155.175.237.129 1
route Inside 10.1.0.0 255.255.240.0 10.1.100.1 1
route Inside 10.1.0.0 255.255.255.0 10.1.100.1 1
route Inside 10.1.80.0 255.255.255.0 10.1.100.1 1

 

Many thanks by advance for your help.

 

F.

1 Accepted Solution

Accepted Solutions

Ilkin
Cisco Employee
Cisco Employee

It looks like there is a shared interface between 2 contexts.

interface GigabitEthernet0/2.200
 description Vlan Telephony
 vlan 200

 In case of shared interfaces incoming traffic might fail to be classified to contexts, which is usually fixed by enabling per-context mac address (prefix) generation with 'mac-address auto' command under system context. 

View solution in original post

2 Replies 2

Ilkin
Cisco Employee
Cisco Employee

It looks like there is a shared interface between 2 contexts.

interface GigabitEthernet0/2.200
 description Vlan Telephony
 vlan 200

 In case of shared interfaces incoming traffic might fail to be classified to contexts, which is usually fixed by enabling per-context mac address (prefix) generation with 'mac-address auto' command under system context. 

Many thanks llkin, that did the job!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: