Re: 9500 Routing Issue

i.leridant · ‎03-19-2020

Hello everyone,

I hope you're all fine.

I am seeing an issue with a 9500 (stackwise, 16.9.4 version) installed at the beginning of the year.

Until yesterday everything was fine, then my customer asked me to install a VPN with a firepower device.

This FW is connected to a remote switch, the L2 connectivity is good between firepower and 9500.

The L3 connectivity is done through an interface vlan on the 9500.

I configured a new static route on the 9500, network for remote users to the FW.

It works great but some time, there is no more connectivity between VPN clients to the LAN. When, on the 9500, I do a shut no shut on the interface vlan and the it works again.

I don't know where I can begin debug (when I do a sh arp before shut/no shut the output is fine and ping to FW is Ok)

Thank you for any help !

balaji.bandi · ‎03-19-2020

Like to know more information between FW and Switch. Port-channel or Trunk

Is the FW cluster or single Kit ?

how is thse connection done, only one Switch or connected both the swiches.

Can you post relavant configuration of the switch side to Look, Do you see any Logs obnormal ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

i.leridant · ‎03-19-2020

Hi balaji,

Thant you for your return.

I have 1 FW (no cluster no HA). From the "LAN" interco perspective I have :

FW_Gi0/0 => 2960X interface in mode access => 9500 interface in mode trunk=> SVI in the 9500

The trunk does allow the access vlan.

Perhaps the issue is from the FW but it is solved when I shut/no shut the SVI.

Best regards

Cristian Matei · ‎03-19-2020

Hi,

Do the following:

1. Prepare a packet capture on both FTD Packet Capture and 9500 Packet Capture , don't activate it

2. When the issue comes up, first issue a"show spanning-tree vlan x" on 9500 and the layer 2 switch, where X is the transport VLAN, and do it couple of times, see if the port states and roles are final or not; this is to exclude a layer 2 STP issue, as you said ARP is all good. Start the packet captures and generate interesting traffic from the VPN tunnel to some resource behind 9500 from the routing point of view, or maybe towards 9500 SVI.

Post the results for STP and the packet captures.

Regards,

Cristian Matei.

paul driver · ‎03-19-2020

Hello

@i.leridant wrote:
there is no more connectivity between VPN clients to the LAN. When, on the 9500, I do a shut no shut on the interface vlan and the it works again.

FW_Gi0/0 => 2960X interface in mode access

Do you have isakmp keepalive enabled on both sides of tunnel vpn, as this should keep the tunnel active by polling the remote vpn peer?
Also make sure the access poirt on the remote l2 switch that the FW attaches to has stp portfast enabled?

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Cristian Matei · ‎03-19-2020

Hi,

@paul driver IKE DPD or keepalives will never keep the tunnel up, this is just for peer failure detection. A routed VPN IPSec tunnel stays always up by design, a policy-based VPN IPsec tunnel stays up only if there is interesting traffic, otherwise rekeying doesn't happen, and interpreting traffic means data-plane, not control-plane such as DPD/keepalives.

Regards,

Cristian Matei.

i.leridant · ‎03-24-2020

Hello,

First of all thank you for your answers !

I think I finally discovered the issue.

When installing the Firewall, one of my junior team created on a switch a VRF and put the same SVI in this VRF. This was for having no impact on my production environment...

I shuted this rogue SVI and the issue was solved.

Best regards

Richard Burts · ‎03-24-2020

Thanks for letting us know that you have found the answer to your problem and sharing it with us. A well deserved +5 for finding the solution to your own problem.

HTH

Rick