Buy or Renew
Buy or Renew
We are currently experiencing Knowledge Base board outages and are working to resolve. Thank you for your patience.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2305
Views
5
Helpful
2
Replies

FTD VLAN Traffic not passing

Joshua Turner
Cisco Employee
Cisco Employee

‎08-03-2018 08:33 PM - edited ‎03-12-2019 04:07 AM

I have a FP2110- 6.2.2 with 2 sub-interfaces (vlan11 and vlan99) on physical interface 2. I have a C9300 connected trunked to the FP and have a 2 laptops connected to switch ports that are assigned to the vlan 11 and vlan 99.

 

FTD vlan 99 - 192.168.10.1. (laptop 192.168.10.2)

FTD vlan 11 - 192.168.11.1 (laptop 192.168.11.2)

FTD Outside 172.16.1.1

Cat 9300 - Vlan11 and vlan 99 assigned to ports 3 and 5 respectively.

Remote Router -172.16.1.2

Router loopback 192.168.168.1

 

My laptop on vlan 99 can ping the FTD interface, Remote Router and Router loopback with no issues, but it can't ping the laptop on vlan 11. I can ping the laptop from the router loopback with no issues.

 

Laptop on vlan 11 can't ping it's GW of 192.168.11.1 or anything else. 

 

I have an access policy for ANY ANY ANY ANY across the board for testing.

 

Any idea why the traffic will not pass on vlan 11?

 

 

Labels:
0 Helpful
2 Replies 2

Ajay Saini
Level 7
Level 7

‎08-04-2018 11:05 PM

Hello, Could you please attach a rough topology diagram. I think the issue here is why the laptop in vlan 11 is not able to ping the gateway which is 192.168.11.1. Either, we are missing something very simple here or there is a misconfig. Can you double check the firepower vlan tag and the Nexus 9k interface config making sure we are passing vlan 11 through the trunk. Also, as a test, configure a SVI with a dummy ip like 192.168.11.11 on Nexus 9k and see if you are able to ping from the laptop in same vlan. On a side note, to be able to ping the interface ip of the Firepower, I had to configure the Threat defense policy under Platform settings to be able to ping the interface initially. Now, I have icmp rule created for all the interfaces to be able to ping them from connected devices. There is no clear document, but this was needed in my case. Attaching a screenshot for reference Regards, AJ
Preview file
27 KB
0 Helpful

Joshua Turner
Cisco Employee
Cisco Employee
In response to Ajay Saini

‎08-05-2018 08:55 AM

1st Problem Solved. Bad ethernet dongle on my MacBook. Sheesh!  Now if I have the default Access Policy set to allow, everything can ping everything as expected. 

 

Locking down via ACL, im creating Zones for each VLAN and then creating appropriate policy to allow bidirectional traffic between zones. 

 

One thing I noticed that after creating the ACL's to allow the VLAN's to communicate with no issues, the laptops can't communicate across the WAN, so I've got to play with that a bit today. Thanks

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card