Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1204
Views
2
Helpful
10
Replies

Firepower Sub-Interfaces not receiving traffic

Go to solution
alex-j-seal
Level 1
Level 1

‎08-23-2024 09:53 AM

Hi All,

Any help I can gather here would be appreciated.

We are currently migrating from ASAs to 2 FPR1140s in HA pair. We have the outsides configured and we have a few interfaces populated.

Currently we have an ASA HA pair that has 2 sub interfaces on its inside connection. One for Wireless and one for Ethernet connections.

This sub int is 10.10.1.x/24 and all of our VLANs route traffic to it via the Catalyst switches using defined routes on the switches.

When recreating this set up on the FTDs we are not hitting the FTD when trying to change the routes defined on the switch.

The route on the switch is:

Ip route 0.0.0.0 0.0.0.0 10.10.1.x (the sub interface ip)

But our L3 VLANs are not hitting this address to get out to the Internet.

Each VLAN has its respective address filled out as the .1 of that range and they are all /24.

Is there a fundamental difference that I am missing between ASAs and FTDs and how they handle traffic in the scenario we have?

The reason we route the traffic on the switch is that we have a fail over line that goes through to a DC we have.

Please any guidance would be helpful.

Thanks

A

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to alex-j-seal

‎08-23-2024 10:26 AM

If ypu have subinterface for all vlan in ftd and this subinterface IP is GW IP for hosts then staitc route not work

You need

Vlan SVI in SW be GW IP

transit vlan OR router port between SW and ftd and use this vlan to forward traffic to ANY (defualt route)

MHM

View solution in original post

0 Helpful
10 Replies 10

Go to solution
MHM Cisco World
VIP
VIP

‎08-23-2024 09:58 AM

What vlan you use to connect SW to FTD ?

Are you sure interface is UP and enable?

MHM

0 Helpful

Go to solution
alex-j-seal
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 10:05 AM

Hi thanks for the response,

The VLAN is our VLAN11 on the switch, it has a corresponding sub interface mapped to VLAN11 as well. The IP used for this address on the sub int is .253 and .254 for the standby.

The switch has an IP configured for this VLAN of .1.

It is up and enabled, the connection from the switch to the FPR is a dot1q trunk allowing all VLANs.

We can ping .253 and .254 from the switch, and on the firewall we can ping the .1 address. The problem comes when we try to push the routes on the switch to this .253 address, nothing can see it.

Try to ping it from any other VLAN and it dies, ping from the VLAN11 and it can see .253

Thanks

A

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to alex-j-seal

‎08-23-2024 10:10 AM

Static route need to be toward active FW 

Also can I see topolgy thanks 

MHM

0 Helpful

Go to solution
alex-j-seal
Level 1
Level 1

‎08-23-2024 10:12 AM

Static route needs to be towards the Firewalls active IP? Being the management IP rather than the sub interface IP?

I can get topology next week, I am no longer on premises.

Thanks

A

Go to solution
MHM Cisco World
VIP
VIP
In response to alex-j-seal

‎08-23-2024 10:15 AM

Static route needs to be towards the Firewalls active IP? Being the management IP rather than the sub interface IP?

Subinterface IP of active unit

Otherwise the traffic will drop

MHM

0 Helpful

Go to solution
alex-j-seal
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 10:21 AM

OK yeah, that's how we have it. It's going to the sub interface IP of the chosen VLAN. Which is the .253.

We were attempting to route all traffic through one VLAN rather than have a sub interface for every single VLAN we have.

Every VLAN on the switch is being routed on the switch and so we thought there may be L3 conflicts between the FTD and the Catalysts.

Thanks

A

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to alex-j-seal

‎08-23-2024 10:26 AM

If ypu have subinterface for all vlan in ftd and this subinterface IP is GW IP for hosts then staitc route not work

You need

Vlan SVI in SW be GW IP

transit vlan OR router port between SW and ftd and use this vlan to forward traffic to ANY (defualt route)

MHM

0 Helpful

Go to solution
alex-j-seal
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 11:07 AM

Thank you for this, so doing some further reading I want an Access port not a Trunk from the switch to the firewall.

And then use the VLAN assigned to just transit traffic.

Point our static routes to the interface IP and then we should see traffic flow. 

Please tell me if we have this wrong.

Many thanks

A

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to alex-j-seal

‎08-23-2024 11:13 AM

Just to clarify 

Solution

Sw(vlan xx)-access port-l3 port in FTD 

L3 port in ftd have IP in same subnet of vlan xx

The SW have VLAN SVI for vlan xx

The SW use defualt route toward active unit L3 port ftd

MHM

0 Helpful

Go to solution
alex-j-seal
Level 1
Level 1
In response to MHM Cisco World

‎08-23-2024 11:15 AM

Got it!

Thank you, I will put it into effect next week and feedback.

A

Customers Also Viewed These Support Documents