Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4340
Views
0
Helpful
19
Replies

Cannot Route Between Subinterfaces

jimmlegs
Level 1
Level 1

‎03-12-2022 06:01 PM

I am unable to route from my primary network to any sub-interfaces. I am attempting to segment the network and have created some /30 networks but I am unable to route to them. I have an ASA connected to a Meraki MS250-24P, my primary network is 192.168.68.0/24 and I have been unable to route to for example: 192.168.168.92/30 

!

interface GigabitEthernet1/2.68
vlan 68
nameif inside-68
security-level 100 ip address 192.168.68.253 255.255.255.0 standby 192.168.68.254
!

interface GigabitEthernet1/2.204
vlan 204
nameif network-d
security-level 55 ip address 192.168.168.93 255.255.255.252
!

 

Any help would be much appreciated.

 

Thanks

Labels:
0 Helpful
19 Replies 19

Richard Burts
Hall of Fame
Hall of Fame
In response to jimmlegs

‎03-13-2022 01:09 PM

Thank you for the additional information, which I believe is quite helpful. 
The first thing that I would point out is this from the ASA arp table

segment-c HostEx3 cc7f.76a0.c08c 5443
segment-d HostEx4 bc5a.56c9.8ce4 5473

These hosts are the IP addresses that you want to communicate with. So this demonstrates that the ASA is communicating with them.

The other thing that I believe is quite helpful is the Routing Table info from Meraki. It shows that network 192.168.68.0 is a connected interface on the switch. So when you attempt to access those hosts you send the request through the /30 subinterface but Meraki will be sending the response back using its 192.168.68.0 interface. So this creates an asymmetric path which is a problem for the ASA. I suspect that if you check the logs of the ASA when you are attempting to access these hosts you will find error messages in the ASA logs.

If you were attempting to access these hosts from a network different from 192.168.68.0 I think it would probably work ok. I do not know enough about your environment to suggest a good solution. If the issue existed on the ASA we might look at Policy Based Routing as a way to get the response traffic use the link you want it to use, but I don't know if Meraki has anything like that.

Perhaps you can help us understand the environment a bit better? Am I correct in understanding that there is an existing connection between ASA and Meraki using network 192.168.68.0 and that now you are creating a second (or second and third) connection between ASA and Meraki? What is the purpose for this?

HTH

Rick
0 Helpful

jimmlegs
Level 1
Level 1
In response to Richard Burts

‎03-13-2022 01:29 PM

I see no messages related to these object names or IPs in the syslog. The quick history is that when I took over the network everything was working fine as per the IP/subnet spreadsheet however it appears none of this communication was inter-VLAN. A request came in for two new appliances however these need connectivity from the main server network 192.168.68.0/24 to these two new subnets 192.168.168.88/30, and 192.168.168.92/30. And this brings us to where we are now with the inability to communicate to the two new subnets, I just tested and have not been able to communicate to any of the subnets on the 192.168.168.0 address space from 192.168.68.0/24 hosts which indicates inter-vlan routing was never working in the first place.

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to jimmlegs

‎03-13-2022 02:27 PM

Thanks for the additional information. I am a bit surprised that there are no log messages, but it is not a big deal. I would have considered the log messages as confirmation of my idea that the problem is asymmetric paths, but if there are no log messages I continue to believe that this is the problem.

I am sensing a bit of a disconnect. On the one hand you tell us that "everything was working fine as per the IP/subnet spreadsheet" and also tell us "which indicates inter-vlan routing was never working in the first place." I think I understand the issue with vlans 203 and 204 and I am wondering if vlans 201 and 202 are fairly recent additions (with similar issues) or have they been in place for a long time?

 

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-13-2022 02:52 PM

I am thinking about your comments about inter vlan routing and trying to figure out how it used to work. What I see in the current environment is that you have multiple vlans on the ASA (vlan for 192.168.68.0/24, and multiple vlans for subnets of 192.168.168.0) and those same vlans/subnets also exist on Meraki. If the same vlans/subnets exist on both devices then there are 2 places where inter vlan routing might be done. Is it possible that the inter vlan routing previously was done on the Meraki?

HTH

Rick
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Richard Burts

‎03-13-2022 03:15 PM

My understanding of this continues to evolve and to need better understanding of the history of this situation. Your approach wants the inter vlan routing to be on the ASA and I wonder about that. Can you tell me that the inter vlan routing has always been on the ASA? If not, is there a reason to move inter vlan routing from Meraki to ASA?

As I think about this situation it seems that inter vlan routing on the Meraki would have some advantages: it has the various subnets as locally connected networks so routing between the subnets would be easy, it has a default route with the ASA as the next hop so that any traffic destined for outside would be correctly forwarded, and it avoids any issues about asymmetric paths. If inter vlan routing is on the Meraki then it leaves the ASA to do firewall stuff and moves the processing for inter vlan traffic to a device that might be somewhat more efficient at that task.

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents