03-19-2020 02:52 AM
Hello everyone,
I hope you're all fine.
I am seeing an issue with a 9500 (stackwise, 16.9.4 version) installed at the beginning of the year.
Until yesterday everything was fine, then my customer asked me to install a VPN with a firepower device.
This FW is connected to a remote switch, the L2 connectivity is good between firepower and 9500.
The L3 connectivity is done through an interface vlan on the 9500.
I configured a new static route on the 9500, network for remote users to the FW.
It works great but some time, there is no more connectivity between VPN clients to the LAN. When, on the 9500, I do a shut no shut on the interface vlan and the it works again.
I don't know where I can begin debug (when I do a sh arp before shut/no shut the output is fine and ping to FW is Ok)
Thank you for any help !
03-19-2020 03:13 AM - edited 03-19-2020 03:13 AM
Like to know more information between FW and Switch. Port-channel or Trunk
Is the FW cluster or single Kit ?
how is thse connection done, only one Switch or connected both the swiches.
Can you post relavant configuration of the switch side to Look, Do you see any Logs obnormal ?
03-19-2020 03:31 AM
Hi balaji,
Thant you for your return.
I have 1 FW (no cluster no HA). From the "LAN" interco perspective I have :
FW_Gi0/0 => 2960X interface in mode access => 9500 interface in mode trunk=> SVI in the 9500
The trunk does allow the access vlan.
Perhaps the issue is from the FW but it is solved when I shut/no shut the SVI.
Best regards
03-19-2020 04:48 AM
Hi,
Do the following:
1. Prepare a packet capture on both FTD Packet Capture and 9500 Packet Capture , don't activate it
2. When the issue comes up, first issue a"show spanning-tree vlan x" on 9500 and the layer 2 switch, where X is the transport VLAN, and do it couple of times, see if the port states and roles are final or not; this is to exclude a layer 2 STP issue, as you said ARP is all good. Start the packet captures and generate interesting traffic from the VPN tunnel to some resource behind 9500 from the routing point of view, or maybe towards 9500 SVI.
Post the results for STP and the packet captures.
Regards,
Cristian Matei.
03-19-2020 04:32 AM - edited 03-19-2020 04:37 AM
Hello
@i.leridant wrote:
there is no more connectivity between VPN clients to the LAN. When, on the 9500, I do a shut no shut on the interface vlan and the it works again.
FW_Gi0/0 => 2960X interface in mode access
Do you have isakmp keepalive enabled on both sides of tunnel vpn, as this should keep the tunnel active by polling the remote vpn peer?
Also make sure the access poirt on the remote l2 switch that the FW attaches to has stp portfast enabled?
03-19-2020 04:51 AM
Hi,
@paul driver IKE DPD or keepalives will never keep the tunnel up, this is just for peer failure detection. A routed VPN IPSec tunnel stays always up by design, a policy-based VPN IPsec tunnel stays up only if there is interesting traffic, otherwise rekeying doesn't happen, and interpreting traffic means data-plane, not control-plane such as DPD/keepalives.
Regards,
Cristian Matei.
03-24-2020 02:37 AM
Hello,
First of all thank you for your answers !
I think I finally discovered the issue.
When installing the Firewall, one of my junior team created on a switch a VRF and put the same SVI in this VRF. This was for having no impact on my production environment...
I shuted this rogue SVI and the issue was solved.
Best regards
03-24-2020 02:58 PM
Thanks for letting us know that you have found the answer to your problem and sharing it with us. A well deserved +5 for finding the solution to your own problem.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide