08-19-2010 07:38 AM - edited 03-04-2019 09:29 AM
Hi,
I have a Cisco 5505, and I am having problem pinging the gateway on the outside. If was working fine when i just installed it and then stopped after a few hours.
I can see large number of 1334 switch ingress policy drops now.
The outside interface is connected to a Cisco Catalyst 2960G, with a vlan created between the gateway and the asa outside interface.
Gio/1 -vlan34 ---> service provider
gi0/2 -vlan 34 ---> asa 5505 outside e0/0 interface.
Gi0/3 -vlan 34 --> router
gi0/4 - vlan 34 --> PIX
The pix and router can ping the sp gateway with no problem.
Here is the interface configuration on the asa 5505
interface Vlan1
 nameif inside
 security-level 100
 ip address 10.102.246.71 255.255.255.240
!
interface Vlan2
 nameif outside
 security-level 0
 ip address xxxxxx 255.255.255.248
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
FW# sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps
        Auto-Duplex(Full-duplex), Auto-Speed(100 Mbps)
        Available but not configured via nameif
        MAC address 0025.45fd.e466, MTU not set
        IP address unassigned
        1910 packets input, 141491 bytes, 0 no buffer
        Received 56 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        1334 switch ingress policy drops
        4 packets output, 256 bytes, 0 underruns
        0 output errors, 0 collisions, 0 interface resets
        0 babbles, 0 late collisions, 0 deferred
        0 lost carrier, 0 no carrier
        0 rate limit drops
        0 switch egress policy drops
FW-#
I have checked there is no port security on the switch or the port is err-disabled on the switch.
Both ports on switch and asa are auto sensing and there is no problem of mismatch since there are no CRC.
Please help.
Thanks,
Ashley
Solved! Go to Solution.
08-19-2010 11:52 AM
Hi ,
can you change the VLAN 2 on the asa to Vlan 34 as i can see the port on the switch is configured as VLAN 34. also , hardcode the speed and duplex on both of the devices ( switch & asa - full/100mbps).
Thanks
Manish
08-19-2010 07:44 AM
Hello,
Can you please post the running configuration from the firewall here?
Regards,
NT
08-19-2010 07:58 AM
08-19-2010 08:52 AM
Hello,
Where are you trying to ping from? If you are trying to ping from the ASA,
it should work fine. However, if you try to ping from an internal client, it
may not work as you are missing the NAT configurations.
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
Please try the above configuration if you are trying to ping from inside
clients.
Hope this helps.
Regards,
NT
08-19-2010 09:29 AM
Hi,
I was pinging from the ASA itself from console. with the outside and it is not working.
Thx,
Ashley
08-19-2010 11:30 AM
Hello,
What kind of cable you are using between the ASA and the switch? Can you use
a crossover cable and see if that helps?
Regards,
NT
08-19-2010 11:52 AM
Hi ,
can you change the VLAN 2 on the asa to Vlan 34 as i can see the port on the switch is configured as VLAN 34. also , hardcode the speed and duplex on both of the devices ( switch & asa - full/100mbps).
Thanks
Manish
08-19-2010 11:15 PM
Hi,
I did not try the duplex/speed hard coding on both sides, same thing. As you mentioned, there is a problem with the tagging.
I could have tried that.
Finally what i did, is to invert the vlans meaning vlan 1 - outside vlan 2 -- inside, so tagging on the outside and it works fine.
I will try your solution later and anyway thanks very much for your help guys.
Cheers,
Ashley
08-20-2010 05:40 AM
Hello,
How is the port connected to ASA5505 configured? Trunk or access port?
Regards,
NT
08-20-2010 08:58 AM
Hi,
I am having the same problem on the inside interface when i have inter-changed.
The asa e0/1 -inside is connected to the switch with vlan 34 in access mode but still switch
48578 switch ingress policy drops
Ashley
08-19-2010 11:12 PM
Hi,
Its a straight cable. I could change to cross but the catalyst is MDIX capable.
I think the problem is with vlan tagging or some sort. I have inserted the configuration vlan 1 is not oustside and vlan 2 is inside it works.
Weird.
Thanks,
Ashley
08-20-2010 09:34 AM
Hi ash !
i would recommend you to hardcode the speed and duplex on the asa and upstream switch as i have seen some issues with asa 5505 connecting to higher speed interfaces where it shows that the auto negotiation at full + 100 mbps but it drops packets because of higher speed interface on the other end.  test it with using ping 
thanks
Manish
08-20-2010 09:53 AM
Hi, I have hard coded on both sides 100 full on asa and switch. Same problem.
I am running of ideas ...Any ideas.
08-20-2010 10:12 AM
Hello,
If I understand your topology correctly, you have a 2960 connecting to a
router, a PIX, and the ASA. Are there any address conflicts? Can you make
sure that on ASA5505, only one port is connected to 2960 (no physical
loops)? Can you try to ping ASA from one of the other devices and check the
MAC address assigned for that IP?
Regards,
NT
08-20-2010 10:21 AM
The reason for switch ingress packet drops are :-
1> The port is not configured properly and the drops are incremented when a packet cannot be successfully forwarded within switch ports as a result these setting.
2> The namefi command was not configured on the vlan interface. if name if isnt configured , switching with the same vlan is still successful.
3> the vlan is shutdown.
4> an access port recieved an 802.1q tagged packet.
5> a trunk port recieved a tag that is not allowed or an untagged packet.
6> asa is connected to a cisco device or any other device that has ethernet keepalive.
7> The vlan only has one physical interface , but the dest of the packet does not match the mac add of the vlan and it is not the broadcast address.
thanks
manish
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide