Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1169
Views
0
Helpful
4
Replies

Can"t ping sub interface

Jean Paul Enerst
Level 3
Level 3

‎10-07-2019 04:20 PM

Hi Gents,

 

This is an easy one, but i can"t seem to figure it out. I have a pair of 5515X in failover with three interfaces(inside, outside, DMZ) and a sub-interface(uses the DMZ as main). So i use the DMZ interface to create a sub-interface, i had noticed that the Sub-interface did not have a standby IP when i added that standby IP... Failover status of the FW failed, i have to remove the standby IP, perform a no interface-monitoring , and reset the failover.

 

I have double-checked everything connected to the secondary devices, but still no luck!  Everything works as expected when the primary device is running, but if a failover occurs, devices connected to the sub-interface subnet can"t pass traffic! Below is the configuration...

interface GigabitEthernet0/2
speed 1000
duplex full
nameif dmz
security-level 50
ip address 192.168.xxx.1 255.255.255.0 standby 192.168.xxx.2
!
interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0
!

Thanks,

 

 

 

Labels:
0 Helpful
4 Replies 4

luis_cordova
VIP Alumni
VIP Alumni

‎10-07-2019 04:49 PM

Hi @Jean Paul Enerst 

 

When you configure subinterfaces, the physical interface should not have addressing. Maybe, that's why only that interface answers you. I suggest you remove the address from the physical interface and assign that address to another subinterface, enabling the corresponding vlan on the switch.

https://www.networkstraining.com/how-to-configure-vlan-subinterfaces-cisco-asa-5500-firewall/

Regards

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎10-08-2019 12:59 AM

instead, you can try below : (make sure other switch port config trunk to allow the vlans for the subinterface)

 

interface GigabitEthernet0/2

no nameif

no ip address

no shutdown

!

interface GigabitEthernet0/2.xx
speed 1000
duplex full
nameif dmz
security-level 50
!
interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0
!

 

Other note I do not believe failover is recommended to configure using subinterfaces. 

 

Look for some recommendation document.

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_overview.html#wp1077627

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-08-2019 02:09 PM

Although it is not common, using an IP on the physical interface while also having a subinterface should still work.  I would suggest trying to add a standby IP to the sub interface.  I think the issue might be that MAC address is still hung up on the primary which has "failed".  Adding a standby IP will ensure that the primary MAC will follow to the secondary in the case of failover.

 

interface GigabitEthernet0/2.xx
vlan xx
nameif coop
security-level 25
ip address 172.16.x.x 255.255.255.0 standby 172.16.x.2

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Jean Paul Enerst
Level 3
Level 3
In response to Marius Gunnerud

‎10-09-2019 07:33 AM

Thanks Marius. But i have tried that, and i think that iève mentioned that ebove.

 

When i added the standby IP,  failover status changes for a few sec then failed. The secondaray device aka standby device can ping that IP but i can"t ping the active IP for that interface. I have double check the trunk ports and stuff it seems all good to me.

 

I will try the above suggestion because they have not tried them yet, but i think the issue might be something else.

 

Thank you all, will update soon.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card