Solved: Chris,Pasting below relevant

NInja Black · ‎08-25-2014

HI,

I know this is basic but is giving me a lot of head ache.

I had a /30 between the Router(3925) and the ASA(5515).

Installed EHWIC on the router to support ASA failover.

I loose connection when I change the mask at /29.

So currently the vlan interface at the router has address 10.xx.xx.xx/30 and ASA interface has 10.xx.xx.xx/29.

This works fine but the moment I change router's mask to /29 it looses connection.

Cant figure out why and I have checked all I could.

- Did shut/ no shut on the interface

- Speed/Duplex settings are set to auto both sides.

Its frustrating. Please help.

christopher jardine · ‎08-28-2014

so you are using a default route to the firewall from the ASA, what do you have for routing on the router? I think you mentioned EIGRP.

the only thing i can think of with out looking at the configs on both sides is maybe you have a static route on the router?

how's the TAC going?

on your router are you using the ip default-gateway?

View solution in original post

christopher jardine · ‎08-25-2014

i can think of 2 things

are the ip addresses you are using in the new /29 on the same subnet. <-- just checking

could you have an arp issue?

did you shut/no shut both sides?

if so try clearing the arp.

NInja Black · ‎08-26-2014

I did try shut/no shut but only on the router side. Will do it both sides.

Also clearing ARP should make it work. Didn't occur to me until u suggested.

Have to do it after 9pm. Will let you know how it goes.

Thanks!!!

christopher jardine · ‎08-26-2014

How did it go?

NInja Black · ‎08-26-2014

I am at the office right now. Tried everything in the last 30 mts. same thing.

Its frustrating.

- I cleared arp on both the firewall and the router.

- I shut/no shut both interfaces

- Even restarted both the devices with there ips 10.xx.xx.1/29 10.xx.xx.2/29. Nothing.

I changed just the router ip to 10.xx.xx.2/30 and it works. ???

I am at the office. If you have any ideas please suggest.

christopher jardine · ‎08-26-2014

Do you have a firewall rule blocking something on the new subnet?

christopher jardine · ‎08-26-2014

What are you using for routing? Does it match with your new subnet?

christopher jardine · ‎08-26-2014

Does the interface show as up?

NInja Black · ‎08-27-2014

Yeah the interface shows up. Thats another thing I didn't understand.

Also I am using EIGRP. When I do a tracert it seems to jump to its EIGRP neighbor instead of going to the directly connected route. I didn;t update the subnet on the eigrp neighbors but still shouldn't the connnected route be priority?

Did a ' sh ip ro' and the subnet shows directly connected.

Have to wait on the TAC case as the support for that office expired 2 months back. Just when I needed it. Will be getting it renewed asap.

christopher jardine · ‎08-27-2014

Last thing before i LAB this

can you ping the locally connected interface of the ASA?

if your router is 192.168.1.1/30 and your ASA is 192.168.1.2/30

can you ping 192.168.1.2 from the router?

if you can can you see in the arp table the correct mac for 192.168.1.2?

if you can't do you have anything setup that could be blocking it?

you say it's for redundancy, could there be anything in that config that wouldn't work for a /29 address?

NInja Black · ‎08-27-2014

ASA: 192.168.1.1/30

Router: 192.168.1.2/30

192.168.1.1/29 --- 192.168.1.2/30 > Pings (interface up)

192.168.1.1/29 --- 192.168.1.2/29 > Doesn't ping (interface up)

Can't think of anything thats blocking this.

I really appreciate your help in this Chris. Thanks!!!

christopher jardine · ‎08-27-2014

Can you see the counters on the interface going up when you ping?

if so is on the ingress or egress?

christopher jardine · ‎08-27-2014

Do you have any static routes?

christopher jardine · ‎08-27-2014

If you have a static route that's more specific going somewhere else it might be causing a problem

NInja Black · ‎08-27-2014

Chris,

Pasting below relevant config of both the router and the ASA.

Router

interface Vlan10
description Router_FW1_FW2
ip address 10.xx.xx.2 255.255.255.252
ip access-group 120 in
ip nat inside
ip virtual-reassembly in
!

interface GigabitEthernet0/0/0
description ASA_Primary
switchport access vlan 10
no ip address
!

access-list 120 permit ip any any

ASA Config

interface GigabitEthernet0/0
nameif outside
security-level 0
ip address 10.xx.xx.1 255.255.255.248
!

route outside 0.0.0.0 0.0.0.0 10.xx.xx.2 1

Help. Changing subnet mask looses connectivity.