Solved: Re: Hosts reside under Port channel subinterfaces of ASA 5525 could not reach each other

leogxn · ‎12-10-2018

Hi, I had some trouble to let the ASA sub-interfaces to be able to reach each other.

Here is the topology diagram description:

one 9300 SW has port 47 and 48 link to ASA 5525 port 1 and 2 via port channel. I create two sub-interfaces on ASA under PO1 that are po1.11 and po1.110 and give vlan id, nameif and security level 100.

I would like to let both sub-interfaces can access each other temporarily so the host reside under one VLAN can reach one host in another VLAN.

I believe I have missed something on the ASA. If anyone can help will be very appreciated

PCCDSSFW1# show inter ip bri
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 unassigned YES unset up up
GigabitEthernet0/2 unassigned YES unset up up
Port-channel1 unassigned YES unset up up
Port-channel1.11 10.71.1.1 YES manual up up
Port-channel1.110 10.10.10.124 YES manual up up

PCCDSSFW1# ping 10.71.1.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.71.1.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

PCCDSSFW1# ping 10.10.10.124
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.10.124, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

CANNOT be reached if I specify the interface from 10.10.10.124
PCCDSSFW1# ping
TCP Ping [n]:
Interface: MGMTNet
Target IP address: 10.71.1.1
Repeat count: [5]
Datagram size: [100]
Timeout in seconds: [2]
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.71.1.1, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
PCCDSSFW1#

Here is the configurations:

FW ASA5525:

interface GigabitEthernet0/1
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
channel-group 1 mode on
no nameif
no security-level
no ip address
!

interface Port-channel1
lacp max-bundle 8
no nameif
no security-level
no ip address
no split-horizon eigrp 1
!
interface Port-channel1.11
vlan 11
nameif PCCDSSNet
security-level 100
ip address 10.71.1.1 255.255.255.0
!
interface Port-channel1.110
vlan 110
nameif MGMTNet
security-level 100
ip address 10.10.10.124 255.255.255.128

!

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

!

icmp permit any PCCDSSNet
icmp permit any MGMTNet

!

Switch C9300:

interface Port-channel2
switchport mode trunk
!

interface GigabitEthernet1/0/47
switchport mode trunk
channel-group 2 mode on
!
interface GigabitEthernet1/0/48
switchport mode trunk
channel-group 2 mode on
!

Sheraz.Salim · ‎12-10-2018

run this command
packet tracer input PCCDSSNet tcp 10.71.1.5 1234 10.10.10.10 80 detail

the reason it showing you it is not pining becouse you are using asa interface to ping. use a client ip address on both side or SVI on the switch if there is any.

config looks ok

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-10-2018

run this command
packet tracer input PCCDSSNet tcp 10.71.1.5 1234 10.10.10.10 80 detail

the reason it showing you it is not pining becouse you are using asa interface to ping. use a client ip address on both side or SVI on the switch if there is any.

config looks ok

please do not forget to rate.

leogxn · ‎12-11-2018

@Sheraz.Salim wrote:
run this command
packet tracer input PCCDSSNet tcp 10.71.1.5 1234 10.10.10.10 80 detail

the reason it showing you it is not pining becouse you are using asa interface to ping. use a client ip address on both side or SVI on the switch if there is any.

config looks ok

Thank you for the answer Radio_City. It's weird that today all things work after couple of attempts - remove any any and add subsets. Right now I added any any back and they are still working.

leogxn · ‎12-11-2018

Here was I run the packet-tracer command and they were allowed.

PCCDSSFW1# packet-tracer input PCCDSSNet tcp 10.71.1.12 1234 10.10.10.5 80 detail
Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop 10.10.10.5 using egress ifc MGMTNet

Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group PCCDSSNET_ACCESS_IN in interface PCCDSSNet
access-list PCCDSSNET_ACCESS_IN extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac97e0280, priority=13, domain=permit, deny=false
hits=4256, user_data=0x2aaabdc3c8c0, cs_id=0x0, use_real_addr, flags=0x0 , protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=PCCDSSNet, output_ifc=any

Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac7ee4080, priority=0, domain=nat-per-session, deny=false
hits=10624, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x2aaac8d5f990, priority=0, domain=inspect-ip-options, deny=true
hits=4364, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=PCCDSSNet, output_ifc=any

Phase: 5
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group MGMTNET_ACCESS_OUT out interface MGMTNet
access-list MGMTNET_ACCESS_OUT extended permit ip any any
Additional Information:
Forward Flow based lookup yields rule:
out id=0x2aaac97e8fb0, priority=13, domain=permit, deny=false
hits=4, user_data=0x2aaabdc3d340, cs_id=0x0, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=MGMTNet

Phase: 6
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac7ee4080, priority=0, domain=nat-per-session, deny=false
hits=10626, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=6
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=any, output_ifc=any

Phase: 7
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Reverse Flow based lookup yields rule:
in id=0x2aaac975a860, priority=0, domain=inspect-ip-options, deny=true
hits=13192, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=any, dscp=0x0
input_ifc=MGMTNet, output_ifc=any

Phase: 8
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 22781, packet dispatched to next module
Module information for forward flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Module information for reverse flow ...
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat

Result:
input-interface: PCCDSSNet
input-status: up
input-line-status: up
output-interface: MGMTNet
output-status: up
output-line-status: up
Action: allow

Sheraz.Salim · ‎12-12-2018

kindly could you please rate this if you think i was helpful

Regards

please do not forget to rate.