Hello @Giuseppe Larosa 

I posted the results of sdm prefer earlier. Is that not it?

I believe that what @Giuseppe Larosa is suggesting is that you change sdm prefer from desktop to routing. You might give it a try but I am not optimistic that it will solve your issue. I believe that the issue may be that you have the lanbase license and that may not support PBR.

I am thinking about why the static route for 8.8.8.8 did not work. And I am wondering if the issue might be whether there is address translation for the new subnet. Would you try the static route again and this time test with traceroute instead of ping? I would like to make sure that the packet does use 172.18.90.1 as the next hop, and whether the packet makes it past that next hop.

And I am thinking that perhaps the best advice is to not try to do testing from the switch but to configure a switch port for the new vlan, connect a PC to that port, and test from the PC rather than from the switch.

I have an IP phone connected to g1/0/3 on the switch for testing. Right now it cannot reach the internet and has no dial tone.

It receives a DHCP address but that's it.

OSB-Harlem#sh run int g1/0/3
Building configuration...

Current configuration : 118 bytes
!
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 444
spanning-tree portfast edge
end

OSB-Harlem#sh cdp nei g1/0/3
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge
S - Switch, H - Host, I - IGMP, r - Repeater, P - Phone,
D - Remote, C - CVTA, M - Two-port Mac Relay

Device ID Local Intrfce Holdtme Capability Platform Port ID
SEP64167fbc47cf Gig 1/0/3 166 H P Polycom V Port 1

Total cdp entries displayed : 1

OSB-Harlem#sh mac add
OSB-Harlem#sh mac address-table int g1/0/3
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 6416.7fbc.47cf DYNAMIC Gi1/0/3
444 6416.7fbc.47cf DYNAMIC Gi1/0/3
Total Mac Addresses for this criterion: 2
OSB-Harlem#sh ip arp 6416.7fbc.47cf
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.80.90.11 12 6416.7fbc.47cf ARPA Vlan444
OSB-Harlem#ping
Protocol [ip]:
Target IP address: 8.8.8.8
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 172.80.90.11
% Invalid source. Must use same-VRF IP address or full interface name without spaces (e.g. Serial0/1 )

There is an ACL and NAT policy on the firewall for the voice network. I attached images.

Thanks for the additional information. I am a bit surprised to see entries in the mac address table for that mac showing in both vlan 1 and vlan 444. Is there a way to verify that the phone has correct IP address, mask, and gateway? Is there a way to verify that the phone can access its gateway?

Unfortunately, I was unable to find a way to verify the gateway.

show cd neighbor detail was not helpful.

OSB-Harlem#sh cdp nei g1/0/3 ?
detail Show detailed information
| Output modifiers
<cr>

OSB-Harlem#sh cdp nei g1/0/3 de
OSB-Harlem#sh cdp nei g1/0/3 detail
-------------------------
Device ID: SEP64167fbc47cf
Entry address(es):
IP address: 172.80.90.11
Platform: Polycom VVX 311, Capabilities: Host Phone
Interface: GigabitEthernet1/0/3, Port ID (outgoing port): Port 1
Holdtime : 169 sec

Version :
Updater: 5.7.2.21547, App: 5.5.2.8571

advertisement version: 2
Duplex: full
Power drawn: 5.000 Watts

Total cdp entries displayed : 1
OSB-Harlem#

Hello @Uche Akunwafor ,

use a PC for basic tests by configuring the port in access mode for VLAN 444 so that it is easier to understand what is happening.

Your phone is

>> Platform: Polycom VVX 311, Capabilities: Host Phone

the two entries for the MAC in VLAN 1 and in VLAN 444 can be temporary and it can be the result of the phone booting first in VLAN 1 and then getting an IP address from Voice VLAN.

Or are just the CDP frames that travel untagged.

However, it is easier to use a PC to make connectivity tests to the internet in VLAN 444.

if the PC can go to the internet you wll know that NAT confguration is fine for VLAN 444 and also security policies.

Hope to help

Giuseppe

Alright @Giuseppe Larosa 

I will try that. It's a remote office so I will have to schedule a day to go over there and test with my laptop.

One indirect way to sort of confirm the gateway would be to check the arp table on the ASA. If it has an entry for 172.80.90.11 then we know that they have some communication and probably the phone does have the ASA as its gateway. It is not as good as checking the gateway from the phone. But it would be a step in the right direction.

Hi @Richard Burts 

You are right. That showed up in the ASA's ARP table

Cisco Fire Linux OS v6.6.4 (build 3)
Cisco ASA5516-X Threat Defense v6.6.4 (build 59)

> system support d
debug-DAQ debug-DAQ-reset debug-DAQ-show diagnostic-cli dump-table
> system support diagnostic-cli
Attaching to Diagnostic CLI ... Press 'Ctrl+a then d' to detach.
Type help or '?' for a list of available commands.

osbny-harlem-5516-01# en
^
ERROR: % Invalid input detected at '^' marker.
osbny-harlem-5516-01# show arp
outside 172.254.172.113 f4b5.2f0f.74c9 0
inside 172.80.80.114 6c4b.9014.ddf2 0
inside 172.80.80.117 e0cb.bc97.0954 1
inside 172.80.80.24 001d.0001.41fe 3
inside 172.80.80.175 6c4b.903d.9290 3
inside 172.80.80.90 6c4b.9014.ddd3 5
inside 172.80.80.107 6c4b.903d.928d 6
inside 172.80.80.102 6416.7fbc.4a98 8
inside 172.80.80.96 6416.7fbc.4a8d 8
inside 172.80.80.91 6416.7fbc.47ef 10
inside 172.80.80.187 6c4b.903d.926b 12
inside 172.80.80.105 ac17.c810.36de 13
inside 172.80.80.100 6416.7fbc.4a3e 16
inside 172.80.80.84 6c4b.9014.de99 19
inside 172.80.80.116 6c4b.9032.2ae5 24
inside 172.80.80.254 b4de.31cb.7263 31
inside 172.80.80.109 6c4b.903d.927a 33
inside 172.80.80.61 6c4b.903d.03b6 33
inside 172.80.80.95 6c4b.903d.9292 35
inside 172.80.80.88 6c4b.903d.9259 48
inside 172.80.80.183 14f6.d86e.a21c 56
inside 172.80.80.110 90fb.a67b.59fe 58
inside 172.80.80.181 a217.dece.ceaf 66
inside 172.80.80.180 a277.8ff1.c8f2 93
inside 172.80.80.99 0077.8d90.7f6a 116
inside 172.80.80.93 6416.7fbc.49b6 145
inside 172.80.80.104 6416.7fbb.910e 155
inside 172.80.80.182 3237.9325.25e1 157
inside 172.80.80.97 6416.7fbb.9126 160
inside 172.80.80.89 6416.7fbb.90d3 160
inside 172.80.80.87 6416.7fbc.4a3f 169
inside 172.80.80.92 6416.7fbc.482c 181
inside 172.80.80.101 6416.7fbc.4a3b 192
inside 172.80.80.112 a0c5.89d5.bc0e 386
inside 172.80.80.83 0023.24b5.d263 437
inside 172.80.80.98 6416.7fbc.4a42 516
inside 172.80.80.108 6416.7fbc.49e7 552
inside 172.80.80.60 6416.7f12.9f4c 562
inside 172.80.80.111 6416.7f8e.a1c7 718
inside 172.80.80.69 d8cb.8a2c.b018 727
inside 172.80.80.113 6416.7fbc.4826 799
inside 172.80.80.81 6c4b.90ab.66fb 1025
inside 172.80.80.82 54ef.92b5.84ff 1383
inside 172.80.80.103 b4de.31cb.7264 1421
inside 172.80.80.154 24fc.e585.f662 3390
inside 172.80.80.150 e02f.6d62.ee66 8062
inside 172.80.80.49 5838.7939.f48d 8129
inside 172.80.80.2 5087.89c8.8840 8610
voice 172.80.90.11 6416.7fbc.47cf 177
voice 172.80.90.2 5087.89c8.8841 4322
osbny-harlem-5516-01# show arp | voice
^
ERROR: % Invalid input detected at '^' marker.
osbny-harlem-5516-01# show arp | i voice
voice 172.80.90.11 6416.7fbc.47cf 252
voice 172.80.90.2 5087.89c8.8841 4396
osbny-harlem-5516-01#

Hello,

So I connected a laptop to the port assigned to voice vlan 444 and got internet access for a reason I do not understand.

This is the laptop output:

I am getting an IP address from the main subnet: 172.80.80.0/24

This is the switch output with the laptop connected to the port on vlan 444.
OSB-Harlem#sh run int g1/0/3
Building configuration...

Current configuration : 118 bytes
!
interface GigabitEthernet1/0/3
switchport mode access
switchport voice vlan 444
spanning-tree portfast edge
end

OSB-Harlem#sh mac add
OSB-Harlem#sh mac address-table g1/0/3
^
% Invalid input detected at '^' marker.

OSB-Harlem#sh mac address-table int g1/0/3
Mac Address Table
-------------------------------------------

Vlan Mac Address Type Ports
---- ----------- -------- -----
1 000e.c6a9.176f DYNAMIC Gi1/0/3
Total Mac Addresses for this criterion: 1
OSB-Harlem#sh ip arp 000e.c6a9.176f
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.80.80.218 0 000e.c6a9.176f ARPA Vlan1
OSB-Harlem#sh run int vlan 444
Building configuration...

Current configuration : 63 bytes
!
interface Vlan444
ip address 172.80.90.2 255.255.255.0
end

OSB-Harlem#

The laptop connects to vlan 1 and gets a DHCP address.