Solved: New WAN outside interface doesn't work!

ipv6x · ‎09-30-2022

Hello,

At my work we have buy new wan connection.

The topology is

SW_Core ----->FTD---->Outside wan1-2-3

in the SW_Core are 3 vlan:
WAN1

WAN2

WAN3

From the FTD,
WAN1 ----> can ping wan1 gw

WAN2 ---> can ping wan2 gw

WAN3 ---> cannot ping wan3 gw.

and i don't now why?

any idea?

Regards,

Aref Alsouqi · ‎09-30-2022

From the output I see the ARP gets resolved so it should work. I would try to connect the FTD interface directly to the WAN3 router and see if it works, or at least try to clear the ARP table on the router by disconnecting the cable that is connected to the switch.

View solution in original post

Aref Alsouqi · ‎09-30-2022

I would check the ARP entries on the FTD, and if it shows incomplete I would try to reach out to the ISP. I personally experienced a couple of similar issues where the ISP was adding a VLAN ID tag on the interface connected to the firewall. In that case I had to create the sub-interfaces before I got it to work. Another thing you can try to do is to connect the WAN3 ISP router directly to the firewall and see if that makes any difference, if so, the issue might be related to something missing on the switch.

ipv6x · ‎09-30-2022

Hi @Aref Alsouqi ,

Thank you for the reply, I have a test with my laptop I have put on VLAN wan3 assigned static public IP and it worked. Or in the FTD is another question? I try arp but nothing show on FTD CLI.

MHM Cisco World · ‎09-30-2022

Yes but laptop send untag traffic, FTD send tag traffic and SW can't know that tag FTD add.
here you must sure the tag is match and trunk all new WAN VLAN.

ipv6x · ‎09-30-2022

Hi @MHM Cisco World ,

yes, and all the VLAN WANs have the same tag trk1.

MHM Cisco World · ‎09-30-2022

can you share the config of SW and FTD ?

Aref Alsouqi · ‎09-30-2022

Did you connect your laptop directly to the WAN3 router or to a switch port in WAN3 VLAN? if you connected it directly to the WAN3 router then it would mean there is some issues on the WAN3 VLAN switch ports configs. Could you please share the sanitized switch ports configs and a quick draft diagram for review?

If you have a single physical connection between the FTD and the switch, then the FTD must have the VLAN IDs assigned to its sub-interfaces that match whatever VLAN IDs you configured on the switch. And from the switch ports perspective, the link between the switch and the FTD must be configured in trunk allowing all those three VLANs, and then the switch ports connected to the ISP routers must be configured in access mode and placed into their respective VLAN.

An exception of the above, would be if you don't configure a VLAN ID on the FTD for one of those three links, and you decide to use the main physical interface for it, then in that case you must configure the native VLAN on the switch trunk link to be the VLAN that is matching whatever you configured on the FTD main interface. For example, you can have WAN1 and 2 configured as sub-interfaces on the FTD, where VLAN tagging is required, and WAN3 configured on the physical interface of the FTD where tagging is not required.

ipv6x · ‎09-30-2022

The configuration is:

FTD-----SWCORE-----WAN1-2-3

FTD have configured 3 interfaces

G0/1 ---> WAN1

G0/2 ---> WAN2

G0/3 ---> WAN 3

in the switch they are connected to port with vlan wan1-2-3 and and they configured like access and tagged with trunk. see the photos

MHM Cisco World · ‎09-30-2022

are the issue with WAN-2 (VLAN31)?
if yes
then you need to make VLAN UP/UP
and you can use no autostate to make VLAN UP always
https://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/41141-188.html

ipv6x · ‎09-30-2022

The WAN2 is down because the secondary FTD is upgrading status.

And we have ARUBA switches.

Aref Alsouqi · ‎09-30-2022

Are you using a dedicate interface on the FTD (as per dia.png file) for each circuit? how did you configure the firewall ports? as sub-interfaces or physical? Based on the dia.png diagram I don't think you need to worry about tagging/trunk at all. You can just configure the firewall physical interfaces and set the switch ports where the firewall interfaces are connected in access mode in their respective VLANs.

ipv6x · ‎09-30-2022

In the FTD i am using physical interfaces and on the sw_core they are configured access port with respective Vlans.

MHM Cisco World · ‎09-30-2022

just one more think to check
you config VLAN in SW with for example port g0/x
are you sure the FTD is connect to this port ?

Aref Alsouqi · ‎09-30-2022

Mmm, can't think of why it shouldn't work then. Can you please try to connect your laptop to a switch port in WAN3 VLAN and try to ping the FTD, and ping the laptop from the FTD?

ipv6x · ‎09-30-2022

yes I can ping from the laptop to FTD and vice-versa, also from the laptop I can ping the gw of the isp router, but from FTD I cannot and i don't know why this?