Solved: Changing name of diagnostic interface of ASA5508X Threat Defense

j.albos · ‎03-16-2021

We have two ASA5508X in our network. The Management Network for both ASAs is the same.

The base problem is that i can ping from Clish-cli to internet hosts successfully on „ASA1“ but on „ASA2“ it is not possible. Please see the configuration.

********************************************************

„ASA1“: Ping o.k.

show network

===============[ System Information ]===============

Hostname : ASA5508-G3-1-12

DNS Servers : 8.8.8.8

Management port : 8305

IPv4 Default route

Gateway : 192.168.100.254

Netmask : 0.0.0.0

======================[ br1 ]=======================

State : Enabled

Link : Up

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : 00:81:C4:93:4C:03

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 192.168.100.12

Netmask : 255.255.255.0

Gateway : 192.168.100.254

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

**********************************************************

„ASA2“: Ping not possible

> show network

===============[ System Information ]===============

Hostname : firepower

DNS Servers : 8.8.8.8

Management port : 8305

IPv4 Default route

Gateway : 192.168.100.253

======================[ br1 ]=======================

State : Enabled

Channels : Management & Events

Mode : Non-Autonegotiation

MDI/MDIX : Auto/MDIX

MTU : 1500

MAC Address : 00:2C:C8:49:E9:A4

----------------------[ IPv4 ]----------------------

Configuration : Manual

Address : 192.168.100.14

Netmask : 255.255.255.0

Broadcast : 192.168.100.255

----------------------[ IPv6 ]----------------------

Configuration : Disabled

===============[ Proxy Information ]================

State : Disabled

Authentication : Disabled

**********************************************************************

I searched of differences between the two ASAs and found in FMC that interface „diagnostic1/1“ has no logical name on „ASA1“, but on „ASA2“ the Interface „diagnostic1/1“ has a logical name with no ip address or other config.

I know that using the diagnostic interface influences the behavior of handling management traffic.

In FMC i tried to remove the name of interface „Diagnostic1/1“ but there was a warning:

*************

Please Confirm

Removing the name of the interface will remove other subcommands under interfaces, as well as the other command referencing the interface. Any network connection to this interface will be disconnected.

Do you want to continue ? YES / NO

**************

It is not intended to use the Diagnostic interface. Both ASAs have also a „Management“-Data-Interface to reach the outside network. „Managemnt Interface“ and „Management Data Interface“ are all connected together over a switch and are able to communicate with each other.

Now my question:

I’am scared to say „yes“ in the above warning. The ASA is a production device and should not fail. A short interrupt is acceptable. What i want is to avoid loosing the ability to manage the device from FMC or come in a situation in which to have to rebuild the device from scratch.

Is it generally possible that the named diagnostic interface avoids pinging internet hosts from clish cli?

If yes, is it safe to answer the question with a „yes“ or are there other possibilities to „deactivate“ this diagnostic interface?

Rob Ingram · ‎03-16-2021

It's a diagnostics interface not a data interface, changing it won't impact traffic through the firewall. Make the change out of hours if you are concerned.

The output you showed above is from the management interface, so when you ping you are using the command ping system <ip address> right? Obviously the next hop default gateway needs to permit that traffic. If you just use "ping <ip address>" then traffic would be sourced from the data interface not the management interface.

View solution in original post

Rob Ingram · ‎03-16-2021

@j.albos

If the management network is the same for both ASAs then you've got a different gateway (192.168.100.253) defined on the ASA that's not working correctly. Change the gateway and try again.

j.albos · ‎03-16-2021

Hello Rob,

thank you for your answer.

On ASA2 I changed the gateway address from 192.168.100.253 -to-> 192.168.100.254 but without success.

( >configure network ipv4 manual 192.168.100.14 255.255.255.0 192.168.100.254 )( Have set back to ...253 .)

The gateway addresses you see are the interface addresses of the Data-Interfaces connected to the management network.

Mgnt-interface1 (192.168.100.12) --> Data-Interface1 192.168.100.254 --> ASA1 -->Internet Provider 1

Mgnt-interface2 (192.168.100.14) --> Data-Interface2 192.168.100.253 --> ASA2 -->Internet Provider 2

My Intention was to use a Data Interface as gateway for Management Interface of same ASA.

This runs on ASA1 successfully but not on ASA2.

Do you have any hints regarding removing the name of the diagnostic interface ?

Rob Ingram · ‎03-16-2021

It's a diagnostics interface not a data interface, changing it won't impact traffic through the firewall. Make the change out of hours if you are concerned.

The output you showed above is from the management interface, so when you ping you are using the command ping system <ip address> right? Obviously the next hop default gateway needs to permit that traffic. If you just use "ping <ip address>" then traffic would be sourced from the data interface not the management interface.