When both were up did you do - Page 2

KENNEDY BIZUAYEHU TADEGE · ‎03-20-2015

Dear All, We've a network which is composed of two 5525 ASA firewalls configured for fail over, two 4507 switches configured as the core/distribution, they are configured to be dhcp servers for separate scopes, static and ospf routing with their own loopback address, layer two etherchannel between them and 2960 switches at an access layer. the problem is when both 4507 switches are working together internet becomes terribly slow but if one of them is down the internet connection becomes fast and stable. some times we can't even ping the ip address of the Ephone (the service provider DSL device) which is connected to the outside interface of the ASAs.

please advise on the issue.

BR

Jon Marshall · ‎03-23-2015

access-list 100 permit ip 10.6.2.0 0.0.0.255 any

Why do you have the above acl applied inbound to the trunk link to your access switch.

What is it meant to be doing ?

Jon

KENNEDY BIZUAYEHU TADEGE · ‎03-23-2015

10.6.2.0 is a management VLAN IP address

Jon Marshall · ‎03-23-2015

Yes I know, you posted the configurations.

But why have you applied the acl on the trunk link is what I am asking.

Jon

KENNEDY BIZUAYEHU TADEGE · ‎03-24-2015

Hi Jon,

There was an an ACL configured for some other requirements but for the current scenario it's not needed. do you think that there is a means of having the same SVI ip addresses on two 4500s on the same network if it solves my routing issue?

Jon Marshall · ‎03-24-2015

Firstly if that acl is not needed I would remove it from the trunk links.

You can setup HSRP which uses a virtual IP and then if one switch fails the VIP is moved to the other switch.

Thing is that requires a fair bit of change in your configuration and although I think you should do it anyway I don't want to say just do it just to see if it fixes the issue.

First, are both switches up at the moment or just one ?

What I would like, if both switches are up is for you to run some traceroutes from clients in different vlans who use each switch as their default gateway and also to look at spanning tree to see if you have any issues there.

It's difficult to say what is happening at the moment and if you are currently only working with one switch then we may just have to modify the configuration and see if it helps but I can't guarantee it will and I really don't like making changes just hoping it might fix it.

I prefer to make the changes when I know what the problem is especially when it's not my network :-)

So what is the status of both switches at the moment ?

Jon

KENNEDY BIZUAYEHU TADEGE · ‎03-24-2015

currently only one of them is up which is DS1

Jon Marshall · ‎03-24-2015

When both were up did you do any traceroutes etc. to see what path traffic was taking ?

How many active client vlans do you have ?

How many access switches are there ?

Are the ASAs connected to different 4500s ?

Jon

KENNEDY BIZUAYEHU TADEGE · ‎03-24-2015

I don't have any trace routes on hand but i can get it by tomorrow since its already 10:50 pm (night).

earlier I've checked the IP address on the client computers and they are getting the IP address based on the STP priority I've given on the 4500 switches.

there are around 10-15 active client VLANs

there are a total of 40 access switches but only 15 of them are on production

the ASAs are connected to different 4500 switches (DS1 & DS2)

Jon Marshall · ‎03-24-2015

earlier I've checked the IP address on the client computers and they are getting the IP address based on the STP priority I've given on the 4500 switches.

So basically one uplink blocks and so the DHCP request does still go to both switches but one takes the indirect path via the 4500 trunk interconnect which means the direct switch is chosen.

If you could bring up the other switch and then pick a client that is having issue and do a traceroute and also for the vlan run -

"sh spanning-tree vlan <num>" on the access switch and the 4500s that might show us something.

Just checking the configs again I assume you edited out most of the port configs. If the acl is applied to all the other trunks to access switches can you remove it from them as well.

Can you post the output of "sh int trunk" for the 4500 interconnect.

If you can't bring up the other switch, and I would understand why, can you still post the outputs asked for other than the traceroute which wont really show us anything.

Apologies for all the questions.

Jon

Jon Marshall · ‎03-21-2015

Okay, I've had a look at your configs and there are a number of issues.

1) the DHCP configuration. There is no redundancy ie.

ds1
====

interface Vlan20
ip address 10.6.20.1 255.255.252.0

ip dhcp excluded-address 10.6.20.1 10.6.20.15

ds2
====

interface Vlan20
ip address 10.6.20.2 255.255.252.0

ip dhcp excluded-address 10.6.20.1 10.6.21.255

for the above vlan 20 has a different IP on each SVI. In addition you are not handing out any IPs from ds2 because you have excluded all the IPs.

If ds1 fails then all clients have the wrong default gateway and cannot even renew the lease because ds2 cannot hand out any IPs.

2) your ASA has a default route pointing to the outside which is correct. But it has no routes for the inside subnets.

It does have OSPF configuration.

Are you running OSPF between the ASA and the 4500s ?

If not then I can't see how connectivity is working. Each 4500 does have a default route pointing to the ASA but it is return traffic I am trying to work out.

You say if you go down to one switch it all works fine, which switch is that ?

I assume it is ds1 because if the only switch up is ds2 then I can't see how it works.

It does depend on which vlans are in use. I just picked one as an example.

Unless I am missing something your configuration needs changing so that both switches can act as the default gateway for clients if one of them is down.

Again, no criticism intended, but I am surprised you have any connectivity working properly at the moment.

Jon

Core Network Routing Issue