03-16-2021 03:07 AM
We have two ASA5508X in our network. The Management Network for both ASAs is the same.
The base problem is that i can ping from Clish-cli to internet hosts successfully on „ASA1“ but on „ASA2“ it is not possible. Please see the configuration.
********************************************************
„ASA1“: Ping o.k.
show network
===============[ System Information ]===============
Hostname : ASA5508-G3-1-12
DNS Servers : 8.8.8.8
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.254
Netmask : 0.0.0.0
======================[ br1 ]=======================
State : Enabled
Link : Up
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:81:C4:93:4C:03
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.12
Netmask : 255.255.255.0
Gateway : 192.168.100.254
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
**********************************************************
„ASA2“: Ping not possible
> show network
===============[ System Information ]===============
Hostname : firepower
DNS Servers : 8.8.8.8
Management port : 8305
IPv4 Default route
Gateway : 192.168.100.253
======================[ br1 ]=======================
State : Enabled
Channels : Management & Events
Mode : Non-Autonegotiation
MDI/MDIX : Auto/MDIX
MTU : 1500
MAC Address : 00:2C:C8:49:E9:A4
----------------------[ IPv4 ]----------------------
Configuration : Manual
Address : 192.168.100.14
Netmask : 255.255.255.0
Broadcast : 192.168.100.255
----------------------[ IPv6 ]----------------------
Configuration : Disabled
===============[ Proxy Information ]================
State : Disabled
Authentication : Disabled
**********************************************************************
I searched of differences between the two ASAs and found in FMC that interface „diagnostic1/1“ has no logical name on „ASA1“, but on „ASA2“ the Interface „diagnostic1/1“ has a logical name with no ip address or other config.
I know that using the diagnostic interface influences the behavior of handling management traffic.
In FMC i tried to remove the name of interface „Diagnostic1/1“ but there was a warning:
*************
Please Confirm
Removing the name of the interface will remove other subcommands under interfaces, as well as the other command referencing the interface. Any network connection to this interface will be disconnected.
Do you want to continue ? YES / NO
**************
It is not intended to use the Diagnostic interface. Both ASAs have also a „Management“-Data-Interface to reach the outside network. „Managemnt Interface“ and „Management Data Interface“ are all connected together over a switch and are able to communicate with each other.
Now my question:
I’am scared to say „yes“ in the above warning. The ASA is a production device and should not fail. A short interrupt is acceptable. What i want is to avoid loosing the ability to manage the device from FMC or come in a situation in which to have to rebuild the device from scratch.
Is it generally possible that the named diagnostic interface avoids pinging internet hosts from clish cli?
If yes, is it safe to answer the question with a „yes“ or are there other possibilities to „deactivate“ this diagnostic interface?
Solved! Go to Solution.
03-16-2021 06:52 AM
It's a diagnostics interface not a data interface, changing it won't impact traffic through the firewall. Make the change out of hours if you are concerned.
The output you showed above is from the management interface, so when you ping you are using the command ping system <ip address> right? Obviously the next hop default gateway needs to permit that traffic. If you just use "ping <ip address>" then traffic would be sourced from the data interface not the management interface.
03-16-2021 05:06 AM
If the management network is the same for both ASAs then you've got a different gateway (192.168.100.253) defined on the ASA that's not working correctly. Change the gateway and try again.
03-16-2021 06:36 AM
Hello Rob,
thank you for your answer.
On ASA2 I changed the gateway address from 192.168.100.253 -to-> 192.168.100.254 but without success.
( >configure network ipv4 manual 192.168.100.14 255.255.255.0 192.168.100.254 )( Have set back to ...253 .)
The gateway addresses you see are the interface addresses of the Data-Interfaces connected to the management network.
Mgnt-interface1 (192.168.100.12) --> Data-Interface1 192.168.100.254 --> ASA1 -->Internet Provider 1
Mgnt-interface2 (192.168.100.14) --> Data-Interface2 192.168.100.253 --> ASA2 -->Internet Provider 2
My Intention was to use a Data Interface as gateway for Management Interface of same ASA.
This runs on ASA1 successfully but not on ASA2.
Do you have any hints regarding removing the name of the diagnostic interface ?
03-16-2021 06:52 AM
It's a diagnostics interface not a data interface, changing it won't impact traffic through the firewall. Make the change out of hours if you are concerned.
The output you showed above is from the management interface, so when you ping you are using the command ping system <ip address> right? Obviously the next hop default gateway needs to permit that traffic. If you just use "ping <ip address>" then traffic would be sourced from the data interface not the management interface.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide