10-08-2007 09:25 PM - edited 03-11-2019 04:22 AM
Hello.
I have this ASA with 2 context sharing the outside interface. No matter what I do, there is no communication on the outside interface.
The sample topology is very simple, the eth0/0 interface of the ASA is conected to VLAN4. On that VLAN4 there us only 1 router.
Here is a sample of the config:
!
!******************* ASA SYSTEM CONTEXT
!
mac-address auto
!
interface Ethernet0/0
!
interface Ethernet0/0.3
vlan 3
!
interface Ethernet0/0.4
vlan 4
!
interface Ethernet0/1
!
interface Ethernet0/2
!
interface Ethernet0/3
!
interface Management0/0
shutdown
!
admin-context admin
context admin
config-url disk0:/admin.cfg
!
context C2
allocate-interface Ethernet0/0.3-Ethernet0/0.4 visible
allocate-interface Ethernet0/2 visible
config-url disk0:/c1.cfg
!
context C2
allocate-interface Ethernet0/0.4 visible
allocate-interface Ethernet0/1 visible
config-url disk0:/c2.cfg
!
!
!******************* ASA Context "C1"
!
!
interface Ethernet0/2
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface Ethernet0/0.3
nameif DMZ
security-level 10
ip address 192.168.2.1 255.255.255.0
!
interface Ethernet0/0.4
nameif outside
security-level 0
ip address 192.168.3.1 255.255.255.0
!
!
!******************* ASA Context "C2"
!
!
interface Ethernet0/0.4
nameif outside
security-level 0
ip address 192.168.3.2 255.255.255.0
!
interface Ethernet0/1
nameif inside
security-level 100
ip address 1921.68.4.2 255.255.255.0
!
!
!
!
!******************* SW Config.
!
!
!
hostname SW3
!
interface FastEthernet0/2
description **************************** R2 F1/1
switchport access vlan 4
switchport mode access
!
interface FastEthernet0/10
description ************************** ASA eth 0/0
switchport trunk encapsulation dot1q
switchport trunk native vlan 4
switchport trunk allowed vlan 3,4
switchport mode trunk
!
interface Vlan4
ip address 192.168.3.203 255.255.255.0
!
!
!
!
!******************* Router config Config.
!
!
!
hostname R2
!
!
interface FastEthernet1/1
no switchport
ip address 192.168.3.3 255.255.255.0
!
TROUBLESHOOTING PROCESS:
1. A ping from R2 to SW3 responded fine.
2. A ping from SW3 to R2 responded fine.
3. A ping from C1 or C2 to SW3 has no response.
4. A ping from C1 or C2 to R2 has no response.
5. A ping from Sw3 to C1 or C2 has no response.
6. A ping from R2 to C1 or C2 has no response.
7. C1 eiher C2 never get any ARP entry from Sw3 either from R2.
8. SW3 and R2 never get any ARP entry from C1 either C2. By aware ASA interfaces has unique MAC address.
9. I found the bug "CSCsf10248" but it was fixed on 7(2)2. ASA is running 7(2)2.
10. I type in the ARP entry of the ASA-C1-Outside interface on the SW3 but nothing.
11. I?ve tried this on diferents LABS with diferent devices same OS but nothing.
12. I enabled "DEBUG ARP" on ASA, SW3 and R2 to find out. What I found is when I type in the C1-OUTSIDE ip address the ASA broadcast such information into VLAN4. SW3 and R2 get the info but never add it into the ARP Table. Then when there is a ping from ASA-C1 to R2, the "arp-request" get broadcast, R2 reply the packet BUT SW3 does not send it to ASA-C1.
13. VTP is enabled and SYN. Be aware R2 and ASA are on the same SW3.
14. If I allocate the ETHERNET0/0 to C1 and use it as outside interface (without sharing it) without changing anything else on SW3 and R2, there is perfect comunication.
15. I changed the R2 port to "TRUNK" but nothing.
16. I took out the VLAN Filter of the ASA-Eth0 port permiting all the VLAN but nothing.
I enabled "DEBUG ARP" on ASA, SW3 and R2 to find out. The attach file has more detail information.
I appreciate any Hint/help/advice.
10-09-2007 07:13 AM
I see that your ASA has a single outside interface (e0/0) that you have correctly designated sub interfaces on( e0/0.3 and .3) upon which you have assigned them to vlans and you state the ASA interface is connected to the router fa1/1
I would recommend changing the router interface to reflect the sub interfaces / vlans you hvae configured on the asa.
You see the asa is talking dot1q now out that interface and the router is not, the router according to your config is just talking ethernet with no vlans.
This link and the diagram show you visually what I am saying
10-25-2007 02:34 PM
JUST TO DOCUMENT THIS CONVERSATION FOR OTHERS OUT THERE:
I found the problem.... AN ASA BUG. The issue was not with the multiple context shared interface BUT with the "vlan" configuration and "switching trunk native vlan id" been the same.
I found the bug id "CSCsj96350". The bug is for ASA5505 however I followed the workwaround... and it worked for my 5510. So If the switch port where the ASA is connected, has the same "trunk native vlan id" as the "vlan id" of the ASA, the ASA WILL NOT TAG them....having no communication on such network.
I tested on 7.2(2) but nothing else.
Regards,
03-27-2008 02:18 PM
03-27-2008 02:40 PM
greivin
well done on your find and thanks for the update.
Franco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide