Solved: Re: The ASA does not seem to be doing ROUTING.

JustTakeTheFirstStep · ‎08-22-2019

The ASA does not seem to be doing ROUTING.

4507 and 3850 do not ping.

I attach the CONFIG_SCRIPT.

Do you know the cause ??

Please help me.

I did not find the cause.

I only believe you.

JustTakeTheFirstStep · ‎09-22-2019

Thank you for the answers.

The cause was the IP SLA.

Thank you.

View solution in original post

Georg Pauwen · ‎08-22-2019

Hello,

you have posted only a partial configuration. Make sure you have:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

configured.

If that doesn't work, post the full configuration.

JustTakeTheFirstStep · ‎08-23-2019

Thank you for reply.

I configured the command in the instrument but the result is the same...

Giuseppe Larosa · ‎08-22-2019

Hello Snika,

you are using redundant interfaces on the ASA.

For example you create the OA (outside aggregate )

interface Redundant1
member-interface GigabitEthernet1/1
member-interface GigabitEthernet1/2
nameif OA
security-level 0
ip address 192.168.94.11
!

Then you have a default static route using OA interface

route OA 0.0.0.0 0.0.0.0 192.168.94.1

Then looking at the C4500 switches configuration we find the following interfaces declared as connected to ASA member interfaces of OA:

C4500-1:

interface GigabitEthernet7/46
description 3F_MDF_OA_ASA5508(gi1/1)
spanning-tree portfast edge
!

C4500-2:

interface GigabitEthernet7/46
description 3F_MDF_OA_ASA5508(gi1/2)
spanning-tree portfast edge
!

Note: with this configuration C4500-1:gi7/46 and C4500-2:gi7/46 are access ports in Vlan 1 ( default).

C4500-1:

interface Vlan1

ip address 192.168.94.2 255.255.255.0

standby 1 ip 192.168.94.1

standby 1 priority 200

standby 1 preempt delay minimum 300

!

C4500-2:

interface Vlan1
ip address 192.168.94.3 255.255.255.0
standby 1 ip 192.168.94.1
standby 1 preempt delay minimum 300
!
!

For this setup to work well C4500-1 must be the root bridge for Vlan 1.

the ASA must participate in STP.

This is actually configured we see:

C4500-1:

spanning-tree vlan 1-4094 priority 4096

C4500-2:

spanning-tree vlan 1-4094 priority 8192

I do not see any STP configuration on ASA.

check with show spanning-tree on ASA if a form of STP is running on it.

The same reasoning applies to the FA redundant interface on the ASA

interface Redundant2
member-interface GigabitEthernet1/7
member-interface GigabitEthernet1/8
nameif FA
security-level 0
ip address 192.168.247.11
!

route FA 192.168.0.0 255.255.255.0 192.168.247.1

Now we look at the C3850 switches

C3850-1

spanning-tree vlan 1-4094 priority 4096
ip routing

interface GigabitEthernet1/0/24
description ASA-g1/7
spanning-tree portfast edge

interface vlan1
ip address 192.168.247.2 255.255.255.0
standby 1 ip 192.168.247.1
standby 1 priority 200
standby 1 preempt delay minimum 300
!

C3850-2

spanning-tree vlan 1-4094 priority 8192
ip routing

interface GigabitEthernet1/0/24
description ASA-g1/8
spanning-tree portfast edge
!

interface vlan1
ip address 192.168.247.3 255.255.255.0
standby 1 ip 192.168.247.1
standby 1 preempt delay minimum 300
!

The switches configuration looks like fine C3850-1 is root bridge for vlan 1 and it is the HSRP active router.

Question:

there is a L2 trunk between C4500-1 and C4500-2 ?

and there is a L2 trunk between C3850-1 and C3850-2 ?

For example on C3850-1, C3850-2 there is a port-channel 1 using ports gi1/0/13 and gi1/0/14 mode on.

On C4500-1, C4500-2 I see a port-channel 1 mode on trunk on gi1/23, gi1/24.

Can you confirm these are the inter switch port channels ?

Can you ping IP 192.168.247.1 on interface FA?

Can you ping IP 192.168.94.1 on interface OA on the ASA?

Again STP should be running on ASA to make this setup to work. Check if it is active.

If it is not you need to enable it.

Edit:

Georg is right either change the security level on FA to a value different from zero or enable the commands proposed by Georg.

By default an ASA does not allow communication between interfaces with same security levels (unless you are using a firepower device in this case security-level is set to 0 but it is ignored)

Hope to help

Giuseppe

JustTakeTheFirstStep · ‎08-23-2019

Thank you for reply.

I answer your question.

As far as I know, the ASA does not support STP.

Because the ASA doesn't have the "show spanning-tree" command itself.

there is a L2 trunk between C4500-1 and C4500-2 ? YES

and there is a L2 trunk between C3850-1 and C3850-2 ? YES

For example on C3850-1, C3850-2 there is a port-channel 1 using ports gi1/0/13 and gi1/0/14 mode on.

On C4500-1, C4500-2 I see a port-channel 1 mode on trunk on gi1/23, gi1/24.

Can you confirm these are the inter switch port channels ? YES

Can you ping IP 192.168.247.1 on interface FA? YES

Can you ping IP 192.168.94.1 on interface OA on the ASA? YES

Again STP should be running on ASA to make this setup to work. Check if it is active.

If it is not you need to enable it. HOW?

Giuseppe Larosa · ‎08-23-2019

Hello,

can you post model and SW version of the ASA ?

a

show version

can be helpful.

Can you ping IP 192.168.247.1 on interface FA? YES

Can you ping IP 192.168.94.1 on interface OA on the ASA? YES

if you have basic connectivity working and you have also configured to allow traffic between interfaces with same security level it should work.

Hope to help

Giuseppe

JustTakeTheFirstStep · ‎08-24-2019

version : asa984-8-lfbff-k8

The attached script is missing commend but cofigured "same security level" later.

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Georg Pauwen · ‎08-24-2019

Hello,

post the full running configuration of the ASA...

JustTakeTheFirstStep · ‎08-24-2019

attach running-config.

Georg Pauwen · ‎08-24-2019

Hello,

I don't see:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

in the configuration...?

JustTakeTheFirstStep · ‎08-24-2019

Yes. The attached config is not included but I have "same security level" is configured

Is there any other problem? Is there a problem with routing?

JustTakeTheFirstStep · ‎08-24-2019

Attach a new running-config.

The most recent ASA setting.

This CONFIG is set to "same security".

Giuseppe Larosa · ‎08-24-2019

Hello Snika,

I see the ASA whole configuration.

Now you have the correct settings to allow traffic between interfaces with same security level.

>> same-security-traffic permit inter-interface
>>same-security-traffic permit intra-interface

I wonder about your internal static route:

You have configured the following:

>> route FA 192.168.0.0 255.255.255.0 192.168.247.1 1

This allows you to route packets for 192.168.0.0/24 to the internal C3850 switches.

Now, I think this subnet mask may be too much specific.

If you want to route traffic traffic to internal switches for multiple 192.168.x.0/24 you would need the following static route:

route FA 192.168.0.0 255.255.0.0 192.168.247.1 1

You haven't provided the full configuration of internal switches C3850 but it is unlike that you have only subnet 192.168.0.0/24 behind them.

Hope to help

Giuseppe

Richard Burts · ‎08-24-2019

If I am understanding this discussion correctly the problem is that ping is not working. The suggestion is that it is a failure of routing. I would suggest that it is not a problem with routing. If the switches attempt some other type of communication, perhaps something like SSH from one to another I believe that it would work. This is because I believe that that problem with ping is that by default the ASA does not inspect icmp and so does not recognize the ping traffic. If the original poster will add inspect icmp to the policy map I believe that ping will begin to work.

HTH

Rick

HTH

Rick

Giuseppe Larosa · ‎08-24-2019

Hello Rick,

so the original poster should add an inspect icmp in the following configuration:

>> policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!

Very good note.

Best Regards

Giuseppe