Solved: management vlan switch 3850 does not work on transparent firewall

Kn1ghtR1d3rOfD00m · ‎08-13-2017

Hi,

I have a switch 3850PoE connected to a 6807XL switch and a Firewall 5585.

on the 6807XL, I have the outside interface vlan for the management devices,

on the firewall, I have it in transparent mode,

interface TenGigabitEthernet0/8.1102
description SVI-NETWORK-MANAGEMENT-OUT
nameif ADMIN-OUT
bridge-group 1
security-level 0
!
interface TenGigabitEthernet0/9.102
description SVI-NETWORK-MANAGEMENT-IN
nameif ADMIN-IN
bridge-group 1
security-level 100

interface BVI1
description ADMIN-BVI
ip address 10.13.2.4 255.255.255.0 standby 10.13.2.5
!

access list are in place ip any any on both sides too and applied correctly and a static route is in place too:

access-list ADMIN-OUT extended permit icmp any any
access-list ADMIN-OUT extended permit ip any any
access-list ADMIN-IN extended permit icmp any any
access-list ADMIN-IN extended permit ip any any

access-group ADMIN-OUT in interface ADMIN-OUT
access-group ADMIN-IN in interface ADMIN-IN

route ADMIN-OUT 0.0.0.0 0.0.0.0 10.13.2.1 1 (this ip is the one set up on the 6807XL acting as the interface vlan for this subnet)

now on the switch I have:

vlan 102
Name MGNT
exit

interface Vlan102
description <<< MANAGEMENT VLAN >>>>
ip address 10.13.2.19 255.255.255.0
!

But, from the outside, I cannot reach the switch,

HOwever, if I bypass the firewall, putting the switch under the management vlan 1102, which is the outside set up on the 6807XL, it works, I can reach the switch to manage it.

does anyone have this type of issues or am Im missing something?

Mohammad Alhyari · ‎08-14-2017

I Have built this topology from the info you have provided. I would troubleshoot it like this:

1- check arp at the device i start the ping from it to see if layer 2 connectivity is there and that the TFW is doing the bridging function.

2- Move to the ASA and do packet captures like this :

ingress interface captures

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

asp drop captures to detect dropped packets

cap asp type asp-drop all

3- logs from the ASA:

loggin buffered debugging

test and then show logging

Moh,

View solution in original post

Mohammad Alhyari · ‎08-14-2017

I Have built this topology from the info you have provided. I would troubleshoot it like this:

1- check arp at the device i start the ping from it to see if layer 2 connectivity is there and that the TFW is doing the bridging function.

2- Move to the ASA and do packet captures like this :

ingress interface captures

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118097-configure-asa-00.html

asp drop captures to detect dropped packets

cap asp type asp-drop all

3- logs from the ASA:

loggin buffered debugging

test and then show logging

Moh,

Kn1ghtR1d3rOfD00m · ‎08-14-2017

Thank you,

Let me make the steps today and let you know the findings asap, thanks for your assistance,

Regards

Kn1ghtR1d3rOfD00m · ‎08-15-2017

thank you Mohammad,

I was able to determine the root cause based on your tshot steps, there was no layer 2 traffic, but because we had to certificate the patch cord that we were using since we used the capture and no traffic was passing by,

thanks for your help, I had to post another question, may be you can help me too,

regards