Solved: Trying to replace ASA5505 with FP1010 fails networking with C3750

Mathias Peter IT · ‎05-20-2022

I want to replace an ASA5505 which is connected to a Trunk Port on a Cat 3750. The FP1010 runs SSP Operating System Version 2.10(1.162), and Cisco Adaptive Security Appliance Software Version 9.16(2) on top.

5505:

interface Ethernet0/0
 switchport trunk allowed vlan 1-6,8-9
 switchport trunk native vlan 1
 switchport mode trunk

3750:

interface GigabitEthernet1/0/24
 description ASA Trunk
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 1-4,6,8,9
 switchport mode trunk
 load-interval 60
 priority-queue out 
 mls qos trust cos
 flowcontrol receive desired
 storm-control broadcast level 1.00 0.50

Switch configuration stays the same.

Note: This is the first time I'm dealing with the new "FP" style ASA. I've done numerous successful migrations from older to newer ASA hardware (and thus newer OS releases) in the pastime, though.

FP1010:

interface Ethernet1/1
 switchport
 switchport trunk allowed vlan 1-6,8-9
 switchport trunk native vlan 1
 switchport mode trunk

Apart from my having cleaned up Vlans in the course of action, I observed the switch emitting EIGRP errors:

May 20 14:00:49: EIGRP-IPv4(59): Neighbor 172.31.59.2 not on common subnet for Vlan1

The said subnet is configured on Interface Vlan 6 on the FP1010 (and the ASA5505). It seems that the FP1010 doesn't add Vlan-Tags?

Also, I can't ping the Vlan1 address of the FP1010 from the local network segment.

Am I doing something wrong here? I have not the faintest idea what's going on. Ideas what to check welcome!

Mathias Peter IT · ‎05-25-2022

The last days, I have been able to debug this issue further. Part of this was to leave my 5505 active in the basement, connected to the 3750, while the FP-1010 is connected to my venerable Cat 2950's G0/2 1000BASE-T transceiver module. (Both switches are connected through a fibre connection which works flawlessly for over a decade.) The 2950 is located in another room where I also have a 2511 configured as console server. This allows me to work from my main workplace and switch between both devices with a simple (no) shut of the switchports being used.

My first finding was that despite Cisco describes the Switch module configuration being the same as with the 5505, I was required to set my uplinkport to "no switchport" and apply a standard subinterface configuration for Vlans to it. That works.

interface Ethernet1/1
 no switchport
 nameif inside
 security-level 100
 ip address 192.168.xx.xx 255.255.255.0 
!
interface Ethernet1/1.2
 vlan 2
 nameif cookies
 security-level 50
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx 
 ipv6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64
 ipv6 enable
 ipv6 nd ra-lifetime 300
 ipv6 nd prefix default 1800 600
!
…

The configuration before was the same as with the 5505. I had not posted the "interface Vlan1" configuration which is basically the same as with Ethernet1/1 above: nameif, security-level, ip address (and no shutdown). I can't see any wrongness on my side so I assume I'm hitting a bug here.

The next interesting point is that reloading the FP-1010 on the Cat2950 works flawlessly (although booting takes *much* too long, for my taste). In course of the booting process, there are two or three transitions of Ethernet1/1 from down up up and back down. When connecting the FP-1010 to my 3750, I get a link once and then never again. I need to shut down the interface on the FP-1010 and no shut after no earlier than one minute. Then I get a link and everything works as expected. Reseating/exchanging the connecting cable didn't change the described behavior. Changing the connection to a different port on the FP-1010 or the 3750 didn't change the described behavior.

This also doesn't seem to be a configuration issue but a bug when using an FP-1010 on a Cat 3750G-1U switch.

Maybe this helps someone with similar issues.

I do not yet have a support contract but I'll open a TAC when I do. Isn't it insolent of Cisco to charge money from people helping them to get their buggy stuff fixed?

View solution in original post

marce1000 · ‎05-20-2022

- FYI : https://www.cisco.com/c/en/us/support/docs/ip/enhanced-interior-gateway-routing-protocol-eigrp/13674-15.html

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Mathias Peter IT · ‎05-20-2022

Thanks, but I don't have an EIGRP problem. The switch is complaining about the wrong EIGRP subnet as a result of a possible misconfiguration of the trunk ports involved, but I can't see where I'm wrong.

Also, please note that I can't ping the fp1010 even from the local subnet.

Something is terribly wrong but I can't see the culprit.

marce1000 · ‎05-20-2022

- I would suggest for the time being use the bare-trunk configuration on the 3750 , meaning remove these (see below) . also clear arp table(s) on the switch or reload it to accomplish the same.:

M.

load-interval 60
 priority-queue out 
 mls qos trust cos
 flowcontrol receive desired
 storm-control broadcast level 1.00 0.50

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

Flavio Miranda · ‎05-20-2022

Hi

We can assume that this log :

May 20 14:00:49: EIGRP-IPv4(59): Neighbor 172.31.59.2 not on common subnet for Vlan1 :

Is not related to your activity. Unless you tell me that this IP 172.31.59.2 is part of the process.

Now, you say that you can not ping the firewall. Does it permit it? Usually Firewall has some restriction for ICMP as security reasons.

What I can say from the information shared is that in terms of Layer 2, it is OK. I dont see nothgin wrong.

If you look the interface on switch and firewall, are they UP ?

MHM Cisco World · ‎05-20-2022

check this point,
FirePower and FTD and ASA have different behave with Native VLAN,
it seem to me that the SW send native "un-tag" and since FP not recognize this frame it forward to different VLAN "172.31.59.0/xx".

Marius Gunnerud · ‎05-21-2022

I suggest going back to basics. Remove all non-essential trunk configuration from both the switch and FTD and see if you can get it to work as a plain old trunk port on both ends. Then start adding back the rest of the configuration one by one to find the command that is causing the issue. My guess is that the native vlan 1 on the FTD side is the cause.

--
Please remember to select a correct answer and rate helpful posts

Mathias Peter IT · ‎05-25-2022

The last days, I have been able to debug this issue further. Part of this was to leave my 5505 active in the basement, connected to the 3750, while the FP-1010 is connected to my venerable Cat 2950's G0/2 1000BASE-T transceiver module. (Both switches are connected through a fibre connection which works flawlessly for over a decade.) The 2950 is located in another room where I also have a 2511 configured as console server. This allows me to work from my main workplace and switch between both devices with a simple (no) shut of the switchports being used.

My first finding was that despite Cisco describes the Switch module configuration being the same as with the 5505, I was required to set my uplinkport to "no switchport" and apply a standard subinterface configuration for Vlans to it. That works.

interface Ethernet1/1
 no switchport
 nameif inside
 security-level 100
 ip address 192.168.xx.xx 255.255.255.0 
!
interface Ethernet1/1.2
 vlan 2
 nameif cookies
 security-level 50
 ip address xxx.xxx.xxx.xxx 255.255.255.xxx 
 ipv6 address xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx/64
 ipv6 enable
 ipv6 nd ra-lifetime 300
 ipv6 nd prefix default 1800 600
!
…

The configuration before was the same as with the 5505. I had not posted the "interface Vlan1" configuration which is basically the same as with Ethernet1/1 above: nameif, security-level, ip address (and no shutdown). I can't see any wrongness on my side so I assume I'm hitting a bug here.

The next interesting point is that reloading the FP-1010 on the Cat2950 works flawlessly (although booting takes *much* too long, for my taste). In course of the booting process, there are two or three transitions of Ethernet1/1 from down up up and back down. When connecting the FP-1010 to my 3750, I get a link once and then never again. I need to shut down the interface on the FP-1010 and no shut after no earlier than one minute. Then I get a link and everything works as expected. Reseating/exchanging the connecting cable didn't change the described behavior. Changing the connection to a different port on the FP-1010 or the 3750 didn't change the described behavior.

This also doesn't seem to be a configuration issue but a bug when using an FP-1010 on a Cat 3750G-1U switch.

Maybe this helps someone with similar issues.

I do not yet have a support contract but I'll open a TAC when I do. Isn't it insolent of Cisco to charge money from people helping them to get their buggy stuff fixed?