Solved: Re: ASA 5540 connectivity testing?

d.draghici · ‎01-10-2011

Hello,

I'm a total n00b at ASA so please give me a hand

I have a ASA 5540-AIP40-K9 ....so it has the standard built-in 4 GE ports + a SSM-40 module.

So I basicaly just got it out of the box, updated the software and made some minor config changes.

I connected one port (GE 0/0) to a cisco 7600 which is our edge router.

And connected another port (GE 0/3) to another router (cisco 3560-X)

The problem is I can't do any pings...neither from the ASA to the other routers, nor from the routers to the ASA.

And I can't even see any mac addresses on the connected interfaces. Even though the interfaces report being UP.

Is there anything "special" I have to do other than just assign IP addresses / names and security level ...in order to be able to do a ping?

This is my config:

Config

ASA Version 8.3(2)
!
hostname FireStorm
domain-name my-network.net
enable password 8Rg2YjIyt6RRLU64 encrypted
passwd 2KFznbJIdI.2FYOU encrypted
names
!
interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 172.30.123.2 255.255.255.0
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description *** Link to Gi0/24 on Poseidon ***
speed 1000
duplex full
nameif inside-Poseidon
security-level 90
ip address 10.123.20.1 255.255.255.0
!
interface Management0/0
nameif Management
security-level 100
ip address 10.255.0.99 255.255.252.0
!
ftp mode passive
dns server-group DefaultDNS
domain-name my-network.net
access-list global_access extended permit icmp any any echo log disable
access-list global_access extended permit icmp any any echo-reply log disable
pager lines 24
mtu outside 1500
mtu inside-Poseidon 1500
mtu Management 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-634.bin
no asdm history enable
arp timeout 14400
access-group global_access global
route outside 0.0.0.0 0.0.0.0 172.30.123.1 1
route Management 194.169.191.128 255.255.255.192 10.155.0.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Management
ssh timeout 60
ssh version 2
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ntp server 10.255.0.100 source Management prefer
webvpn
username jay password LELpNV7kA8WhSZSo encrypted
username root password wLW5bzeVjjFAsW5L encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
!
service-policy global_policy global
prompt hostname context
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:f7ee8a99f50eeff6354219f39e179a60
: end

The other routers have IPs: 172.30.123.1 and 10.123.20.2

Please help.

Thanks a lot.

Kureli Sankar · ‎01-10-2011

Interesting....where are these packets from the ASA going? So two interfaces on the ASA are doing the same thing? Is this correct?

How about other interfaces?

If you configure another interface and hook up a laptop directly to that port does that work?

Sorry you are going through all this with an ASA out of the box. We will get to the bottom of it soon.

Have you changed the ethernet cables?

-KS

View solution in original post

Kureli Sankar · ‎01-10-2011

Do the interfaces on the ASA show up up?

sh int g0/0

sh int g0/3

ping the interface itself you get a response?

ping the router interface - you should be a response.

sh arp - should show router's mac address to ip address

enable logging and see what the logs show.

conf t

logging on

logging buffered 7

exit

sh logg

collect captures on the interfaces and see what might be going on.

cap capin int inside-Poseidon

cap capout int outside

sh cap capin det

sh cap capout det

-KS

d.draghici · ‎01-10-2011

Hey,

Thanks for your quick reply.

So yeah, as I said the interfaces do show as being UP:

Interface GigabitEthernet0/0 "outside", is up, line protocol is up
Interface GigabitEthernet0/3 "inside-Poseidon", is up, line protocol is up

If I ping its own interfaces, which are 172.30.123.2 and 10.123.20.1 it replies.

If I ping the directly connected interfaces of the other routers ( 172.30.123.1 and 10.123.20.2 ) they do NOT reply.

show arp on ASA does NOT show the mac address of the other routers (just some other devices seen on the management interface), and the same on the routers....the mac of the ASA does not show.

I setup logging as you said. but it doesn't seem to show anything interesting:

sh logg

%ASA-5-111008: User 'enable_15' executed the 'ping 10.123.20.2' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP 194.169.191.185, executed 'ping 10.123.20.2'
%ASA-7-609001: Built local-host Management:10.255.2.1
%ASA-6-302020: Built inbound ICMP connection for faddr 10.255.2.1/0 gaddr 10.255.0.99/0 laddr 10.255.0.99/0
%ASA-6-302021: Teardown ICMP connection for faddr 10.255.2.1/0 gaddr 10.255.0.99/0 laddr 10.255.0.99/0
%ASA-7-609002: Teardown local-host Management:10.255.2.1 duration 0:00:00
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Management:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Management:255.255.255.255/67
%ASA-7-710005: UDP request discarded from 0.0.0.0/68 to Management:255.255.255.255/67

sh cap capin det & sh cap capout det

15 packets captured

   1: 13:42:37.473959 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   2: 13:42:38.540819 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   3: 13:42:39.540713 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   4: 13:42:43.540301 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   5: 13:42:48.539782 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   6: 13:42:53.539278 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   7: 13:42:58.538759 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   8: 13:43:03.538256 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
   9: 13:43:08.537737 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
10: 13:43:13.537234 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
11: 13:43:18.536715 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
12: 13:43:23.536196 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
13: 13:43:28.535693 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
14: 13:43:33.535174 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1
15: 13:43:38.534655 0023.044b.4817 ffff.ffff.ffff 0x0806 42: arp who-has 10.123.20.2 tell 10.123.20.1

4 packets captured

   1: 13:45:59.546968 0023.044b.4814 ffff.ffff.ffff 0x0806 42: arp who-has 172.30.123.1 tell 172.30.123.2
   2: 13:46:01.519977 0023.044b.4814 ffff.ffff.ffff 0x0806 42: arp who-has 172.30.123.1 tell 172.30.123.2
   3: 13:46:02.519885 0023.044b.4814 ffff.ffff.ffff 0x0806 42: arp who-has 172.30.123.1 tell 172.30.123.2
   4: 13:46:06.519473 0023.044b.4814 ffff.ffff.ffff 0x0806 42: arp who-has 172.30.123.1 tell 172.30.123.2

I also set the speed and duplex to auto on the GE 0/3 interface but doesn't help with anything. I remember when i first set it up I had a hard time getting the interfaces to go UP and that's why I tried setting speed explicit.....but after a while the interfaces just got up by themselves anyway.

The cabling is done using CAT6 straight patches.

The configuration on the other devices to which the ASA is connected:

other routers:

Cisco 7606:

interface GigabitEthernet1/48
description *** Link to FireStorm Gi0/0 (Cisco ASA)***
ip address 172.30.123.1 255.255.255.0

GigabitEthernet1/48 is up, line protocol is up (connected)
Hardware is C6k 1000Mb 802.3, address is 0018.7416.7380 (bia 0018.7416.7380)
Description: *** Link to FireStorm Gi0/0 (Cisco ASA)***
Internet address is 172.30.123.1/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s
input flow-control is off, output flow-control is off
Clock mode is auto
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:06:06, output 00:00:54, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
L2 Switched: ucast: 0 pkt, 0 bytes - mcast: 120 pkt, 7680 bytes
L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes mcast: 0 pkt, 0 bytes
     130 packets input, 8400 bytes, 0 no buffer
     Received 120 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     37487 packets output, 15629319 bytes, 0 underruns
     0 output errors, 0 collisions, 2 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 pause output
     0 output buffer failures, 0 output buffers swapped out

=================================================================

Cisco 3560-X:

interface GigabitEthernet0/24
description *** Link to Gi0/3 on FireStorm ***
no switchport
ip address 10.123.20.2 255.255.255.0

GigabitEthernet0/24 is up, line protocol is up (connected)
Hardware is Gigabit Ethernet, address is fcfb.fb07.9441 (bia fcfb.fb07.9441)
Description: *** Link to Gi0/3 on FireStorm ***
Internet address is 10.123.20.2/24
MTU 1500 bytes, BW 1000000 Kbit, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
Encapsulation ARPA, loopback not set
Keepalive set (10 sec)
Full-duplex, 1000Mb/s, media type is 10/100/1000BaseTX
input flow-control is off, output flow-control is unsupported
ARP type: ARPA, ARP Timeout 04:00:00
Last input 00:13:54, output 00:00:10, output hang never
Last clearing of "show interface" counters never
Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
Queueing strategy: fifo
Output queue: 0/40 (size/max)
5 minute input rate 0 bits/sec, 0 packets/sec
5 minute output rate 0 bits/sec, 0 packets/sec
     45 packets input, 2880 bytes, 0 no buffer
     Received 45 broadcasts (0 IP multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     86353 packets output, 10327630 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

Kureli Sankar · ‎01-10-2011

As you can see in the captures. The ASA is sending out arp but, there is no response. Layer 2 to layer 3 mapping is not working.

Do you have a switch that you can throw inbetween the two?

How about debug ip arp on the router. Does it see the packets from the ASA? Does it response back?

-KS

sean_evershed · ‎01-10-2011

Just for the process of elimination can you issue the following commands?

sh run interface GigabitEthernet1/48 on the 7206 and sh run interface GigabitEthernet0/24 on the 3560.

sean_evershed · ‎01-10-2011

Hi, a minor point. I noticed that one interface is hard set to 1G and the other has no speed set.

Do the speeds of the interfaces set on the router and switch match what is on your firewall?

What are the configuration of the interfaces on the router and switch that connect to the firewall?

Kureli Sankar · ‎01-10-2011

Is the ASA and router connected via a switch or did you use a crossover cable for testing? If it is crossover then you can set the speed to be the same manually on both interfaces.

If you are using a switch, then for gig interfaces, we recommend setting the interface speed and duplex to auto auto.

-KS

d.draghici · ‎01-10-2011

I put a non-managed L2 10/100 switch between the ASA and the c7600 but still nothing works.

I enabled arp debuging on the c7600 but nothing is seen coming from ASA

@sean_evershed

I already did a show interfaces of both...I posted them just before

Kureli Sankar · ‎01-10-2011

Interesting....where are these packets from the ASA going? So two interfaces on the ASA are doing the same thing? Is this correct?

How about other interfaces?

If you configure another interface and hook up a laptop directly to that port does that work?

Sorry you are going through all this with an ASA out of the box. We will get to the bottom of it soon.

Have you changed the ethernet cables?

-KS

d.draghici · ‎01-10-2011

Thank you for persevering so much in helping me.

I finally figured it out.

I went to connect a laptop directly to the ASA when I noticed....the cables were mixed up!!!! *** gigant facepalm *** .

I was used to the ports being numbered from left to right on most equipment, but it seems they are backwards on the ASA and I didn't notice that because it is mounted somewhere to the bottom of the rack.

Of course I reversed the cables and everything works just fine now.

Thanks a lot.

But since I'm just at the begining with my ASA experience you`ll probably see me again on the forum

Kureli Sankar · ‎01-10-2011

I was going to ask if the cables were connected to the correct port. Didn't want to ask such d**b questions so, didn't

Luckily you spotted it.

-KS