Showing results for 
Search instead for 
Did you mean: 

Problems with a switch config with ASAs.

Here is my problem:

I have 2 ASAs (5515-x) in a passive fail over configuration.

I have a Comcast internet connection with two static IP addresses (one for each ASA) coming in on a single fast Ethernet port.

I am told that I need to have a switch to take the Comcast connection to the input ports of the ASAs.

When I insert an SG500-10, I get no connectivity, although my links appear to be active.

The switch has a bare bones configuration, no vlans etc, all ports open.

  • port 1 - Comcast connection
  • port 2 - ASA 1
  • port 3 - ASA 2


Am I missing something silly?

Does the VLAN need an IP address (it would have to be a public IP address of course) for this configuration to work - I don't think so, but I figure its worth asking.

I figure I'm missing something fundamental, but for the life of me I can't see it.




The VLAN on the switch should not require an IP address, but having one on the switch can be useful for troubleshooting. I've never used the SG500 series but I assume they're fairly similar to other Catalyst switches. So putting the VLAN interface on the switch would allow you to verify that you can ping the addresses on the connected devices. Obviously that interface IP would have to use one of the public IPs you have, so you'd have to test each ASA's connectivity independently. But even without an IP address on the VLAN interface you can still check ARP tables and such, which is probably where I would start.

This may not make a difference to you, but you might consider putting the three switch ports into their own VLAN and leaving the other ports in the default state which I'm assuming is VLAN 1. That would isolate that segment from someone plugging into that switch directly. May not make a big difference since it's on the outside of the firewalls, but I would probably still do it myself.

In my initial configuration, I did have the three connections in their own VLAN. When I found that I had no connectivity, I removed all the configuration except the port configs, just to see of that was the issue. Once I get this working, I will place the three connections back into their own VLAN for the sake of security.

To summarize what I found last night:

1. The fast Ethernet connection from the Comcast box to the ASA is 100Mb full duplex according to the ASA and works just fine.

2. Placing a switch on that circuit, so that we can offer the second ASA the fast Ethernet feed from Comcast, killed our connectivity.

3. According to the switch, the Comcast fast Ethernet connection was 100MB, half duplex (and thus the other connections to the ASAs were also half duplex)

4. Changing the Comcast connection from a switchport to a trunk does not change this situation.

I have to admit that I am completely baffled at this time,

Does it work on both ASAs if you go directly from Comcast to the ASA? And if you put the switch in line connecting to only one ASA, does it still break the connectivity? Finally, if you use the switch elsewhere, does it work properly? Since you see a connection directly to Comcast, what happens if you configure the VLAN IP address on the switch, can you pass traffic from the switch to Comcast?

I agree, it sounds like a very strange situation. As I said, I've never worked with that particular line of switches, but I'd be very surprised if they had substantially different behaviors.

With one connection from the Comcast box, we can only connect to one ASA, but that does work. We need the switch to break out the second connection to the second ASA.

We haven't used that switch elsewhere, but we did use another switch in its place and got the same result.

I haven't tried using VLANs yet. Given that I can't get a basic switch config to work, I thought it best not to complicate the issue!

The SG line of switches are not Catalyst switches and do have different behaviours ... I've come across some real gotcha's with these things.

Then I'm unable to help with the different behavior since I haven't used one.

Just a thought but I do think it's worth checking with Comcast and making sure nothing on their end is causing this to fail. At my home, I was with another cable provide and had arranged to get two DHCP addresses from them, which I needed for a home router and a work VPN router. Everything worked great until Comcast bought the provider and it no longer worked. After several support calls, I finally talked to someone who told me they could only handle a single address, not the two I needed. Obviously your situation is different, but I think it's worth ruling that out as a possible cause.