Solved: Re: Weird Problem with ping response and NTP synchronization on switches

Zaleon · ‎09-27-2018

Hello,

I'm hoping someone can help with a strange problem I'm having. It seems like a routing and/or NAT problem, but I'm not sure what is causing it. I just setup a new network in my home this week with a new Cisco ASA 5506-X and Catalyst 3650 24-port Switch and 1921 router.

Just about everything is working fine except a few minor issues I can't figure out.

Neither of my internal LAN switches behind the ASA will synchronize their time with NTP servers, even though the ASA and Router have no issues syncing using the same public NTP servers.
From the ASA and Router I can ping just about any IP address whether it is on the Internet or the LAN, but with my switches I can only ping internal LAN IP addresses. However, on a PC connected to one of the switches, I can ping both Internet and LAN IP addresses like with the ASA and Router. What gives? I assume this also has to do with issue 1 above.
My primary L3 Catalyst 3650 switch seems to have high pings based on the attached outputs. However, it doesn't seem to affect my speed or latency tests. Should this be anything to be concerned about?
Lastly, I haven't tried yet, but will it be more difficult for me to open up a port to my desktop PC being that I've added a router and L3 switch to my setup based on the current configs?

I've attached a crude network diagram and all sanitized configs for review. Thanks!

Zaleon · ‎09-30-2018

Upgrading to the 9.9.2-18 ASA software version seems to have fixed both my SSH and speed issues. So I'm all good now.

Also I had forgotten my 2nd NIC in my desktop PC is attached to my Oom Telo. The Oooma Telo is on VLAN30 so that is what was causing my computer to access the ASA on VLAN30 over SSH.

View solution in original post

Jon Marshall · ‎09-28-2018

1) see 2

2) the default route next hop IP on your 3560 is 10.55.1.2 but that is the outside interface of the ASA and the 3560 has no idea how to get to that IP.

The next hop IP needs to be on the inside interface of the ASA ie. a subnet that the switch and the ASA share.

3) If traffic passing through the switch is fine and the CPU/memory usage is not too high it is okay as L3 switches have to process pings to IPs on the switch itself in software as opposed to hardware.

4) see below.

You do not need L3 interfaces for the subnets on both the ASA and the 3560 switch so you need to decide where you want to route the vlans.

If you want the ASA to route between all the vlans then you can remove the L3 SVIs on the 3560, turn off ip routing and just have one SVI for management.

If you want the 3560 to route between the vlans you just have a single IP on the ASA inside interface and this would be the next hop IP for the default route on the 3560.

Regardless of which you choose you should not have a L3 interface for the DMZ on your 3560 as it defeats the purpose of isolating that subnet.

Jon

Zaleon · ‎09-28-2018

Jon,

Thanks for your reply. So it sounds like I've over configured everything based on your thoughts.

1 & 2) The only other IPs I have on the ASA to use as the next hop for the switch are the VLANs. I made VLAN 10 the native VLAN, is that the next hop IP that should be used on the 3650?

3) Thanks. I've attached the ping responses and NTP status for each device and my desktop PC. I tried to attach those originally but it only allows 5 attachments. The only ones that are high are the 3650 switch, but that may be due to the issues you've pointed out.

4) What is best practice in this case? or does it matter? I'm thinking of removing the VLANs from the 3650 switch. I didn't really need a L3 switch, but it has a WLAN controller built-in that I wanted to learn about and it was cheap at the time.

Zaleon · ‎09-29-2018

So I was finally able to redo my configs this morning. I removed the sub interfaces on the ASA 5506 and now just have an IP address assigned to int G1/2. I also added some static routes for the inside vlans to the ASA. I added a new VLAN 99 to my switch and gave it an IP range the same as the G1/2 port on the ASA then set the G1/1/1 port on my switch as an access port to that VLAN since it is connected to G1/2 on the ASA.

This fixed my ping issues and NTP synchronization issues for my primary Cisco 3650 switch. However, I still can't ping any internet addresses (8.8.8.8) and NTP synchronization is still not working on my secondary Cisco C2960G switch that is trunked to the 3650. The devices on the secondary switch can ping Google (8.8.8.8) and have internet access, etc.

Also I can't access my ASA via ssh now, only the console cable seems to work with this new config. Any Ideas? New configs are attached, nothing changed on the router config from before.

Zaleon · ‎09-29-2018

I swear I sometimes miss the simplest things! So for the benefit of others, on my Cisco C2960G switch, I was able to add the ip default-gateway 10.1.1.2 which points back to the IP of my main 3650 switch and this fixed my ping and NTP problems on the C2960G. I didn't need this command on the 3650 since it is layer 3, but it obviously needed on a layer 2 only switch.

I'm still trying to fix my ASA SSH issue, but I think that is routing issue as well.

paul driver · ‎09-30-2018

Hello

@Zaleon wrote:

I'm still trying to fix my ASA SSH issue, but I think that is routing issue as well.

Having not seen you asa config or any logging relating why ssh is failing i cannot comment

example:

crypto key generate rsa label TST modulus 2048
ssh version x
ssh x.x.x.x y.y.y.y (inside or outside interface)

username xxx password xxxxx
username xxx privilege 15
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Zaleon · ‎09-30-2018

Well it is working now, but it doesn't make any sense to me. Even though my computer is on static IP for VLAN10 (10.10.1.0/24), the http and ssh will only work if I have the statement ssh/http 0.0.0.0 0.0.0.0 inside or 192.168.5.0 255.255.255.0 inside.

I noticed when I logged into ASDM it said I had so many previous logins from 192.168.5.42. So for whatever reason the ASA thinks my computer is on VLAN30 (192.168.5.0/24) even though its obviously not. The switchport is set to VLAN10 and my computer has 10.10.1.15/24 address.

Also it seems since I've removed the VLANs/SVIs from the ASA and have them only on the 3650 switch that my throughput has dropped by 5-6mbps. I have a 100mbps fiber connection to the WAN and I was consistently getting 100mbps on both upload and download speeds with how it was configured originally. However, now I get 94.5mbps down and around 96.5-96mbps upload consistently. It seems like it should be more streamlined now, so what would cause this to drop?

paul driver · ‎09-30-2018

Hello

if you need to allow acces from the wan interface then apply ssh statement specifying the wan interface ingress traffic

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Zaleon · ‎09-30-2018

Upgrading to the 9.9.2-18 ASA software version seems to have fixed both my SSH and speed issues. So I'm all good now.

Also I had forgotten my 2nd NIC in my desktop PC is attached to my Oom Telo. The Oooma Telo is on VLAN30 so that is what was causing my computer to access the ASA on VLAN30 over SSH.