Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1859
Views
0
Helpful
5
Replies

Cisco FTD 1140 FDM

jpdeboer1
Level 1
Level 1

‎08-17-2020 01:18 PM

Hello,

 

I am running a cisco FTD 1140 with system software version 6.4.0-102 using FDM to configure the device. Now i have an issue with subinterfaces, i have a Cisco 9500 connecting to the Cisco 1140 FTD with a trunk interface. On the switch i created a vlan inteface with an IP and on the FTD i created a subinterface with the same vlan number. Created a security zone on the FTD and allowed everything on the ACL as a test. But i am not able to ping the subinterface, this is a simple setup to just test the subinterface on the FTD, but for some reason isnt working. Did someone else encounter this issue?

 

Thanks in advance!

0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎08-17-2020 01:26 PM

Hi,
Where are you connected to when you ping this new interface?
As with the ASA, you cannot be connected to one interface and send ICMP traffic through an interface to a far interface, the firewall only responds to ICMP traffic sent to the interface that traffic comes in on.

HTH
0 Helpful

jpdeboer1
Level 1
Level 1
In response to Rob Ingram

‎08-17-2020 01:46 PM

Hi,

 

The cisco 9500 switch is connected as a trunk using port Twe1/0/3 to the cisco FTD 1140 port Eth1/3. Eth1/3 is the parrent interface for the subinterface. Subinterface has vlan 111 configured with ip 10.11.11.1/24 and the Cisco 9500 switch has a VLAN interface 111 with ip 10.11.11.241/24. Vlan 111 is also configured on the switch. But i cant ping between them.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to jpdeboer1

‎08-17-2020 10:02 PM

Did you confirm the trucking status on the switch and the spanning-tree forwarding for the VLANs of interest? Are you getting arp table entries on both devices for the other addresses in the subnet?

0 Helpful

jpdeboer1
Level 1
Level 1
In response to Marvin Rhoads

‎08-18-2020 12:42 AM

Hi Marvin,

 

i dont get a mac address when i check arp table:

 

Internet 10.11.11.1 0 Incomplete ARPA

 

See below config

 

FIREWALL
interface Ethernet1/3.111
vlan 111
nameif vmware-management
cts manual
propagate sgt preserve-untag
policy static sgt disabled trusted
security-level 0
ip address 10.11.11.1 255.255.255.0


SWITCH
interface TwentyFiveGigE1/0/3
description Connects AMS-FW1 Eth1/3 SERVERS
switchport trunk allowed vlan 111,300,310,320
switchport mode trunk
load-interval 30

 

interface Vlan111
ip address 10.11.11.241 255.255.255.0
end

 

VLAN0111
Spanning tree enabled protocol rstp
Root ID Priority 32879
Address 5ca6.2dc2.e720
This bridge is the root
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec

Bridge ID Priority 32879 (priority 32768 sys-id-ext 111)
Address 5ca6.2dc2.e720
Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec
Aging Time 300 sec

Interface Role Sts Cost Prio.Nbr Type
------------------- ---- --- --------- -------- --------------------------------
Twe1/0/3 Desg FWD 20000 128.3 P2p

0 Helpful

jpdeboer1
Level 1
Level 1
In response to jpdeboer1

‎08-18-2020 05:15 AM

Something strange happened, i made a config change in FDM and deployed it to the device. Deployment got stuck so i rebooted both firewall devices and after that the sub interfaces were working.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card