cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
642
Views
5
Helpful
15
Replies

Routing issue 3560

Stacey Hummer
Level 1
Level 1

So, with all the changes on my network I seem to have forgotten all the basic information I have learned over time. I have my 3560 as the "core" switch/router running ospf. Everything works fine on the switch itself. But on port G0/21 is my ASA firewall. As I've previously posted the IPs I will do again.

Core switch 3560 - 10.2.0.2

                     G0/21 no switchport ip address 10.3.0.4 -------> ASA 10.3.0.10

From the 3560 I can ping 10.3.0.10 no problem.

I did a extended ping and said to ping from 10.2.0.2 and was not able to ping 10.3.0.10 which is sitting attached to G0/21

Routing entry for 10.3.0.0/24
  Known via "connected", distance 0, metric 0 (connected, via interface)
  Redistributing via eigrp 100, ospf 100
  Routing Descriptor Blocks:
  * directly connected, via GigabitEthernet0/21
      Route metric is 0, traffic share count is 1

 

router ospf 100
 router-id 10.2.0.2
 redistribute connected subnets
 redistribute static subnets
 network 10.2.0.0 0.0.255.255 area 0
 network 10.3.0.0 0.0.0.255 area 0
 network 10.4.1.0 0.0.0.255 area 0
 network 10.4.2.0 0.0.0.255 area 0
 network 10.4.0.0 0.0.255.255 area 0
 network 172.18.0.0 0.0.255.255 area 0
 network 192.168.1.0 0.0.0.255 area 0
 default-information originate

3560_B86_Core#ping 10.3.0.10
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/9 ms

3560_B86_Core#ping
Protocol [ip]:   
Target IP address: 10.3.0.10
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface: 10.2.0.2
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.10, timeout is 2 seconds:
Packet sent with a source address of 10.2.0.2
.....

 

What am I missing ??? :(

Thanks in advance

 

 

15 Replies 15

Jon Marshall
Hall of Fame
Hall of Fame

Stacey

Are you running OSPF on the ASA ?

If not does the ASA have a route back for that subnet ie.

"route inside 10.2.0.0 255.255.0.0 10.3.0.4"

Jon

From the ASA

S*    0.0.0.0 0.0.0.0 [1/0] via X.X.X.113, Outside
S        10.0.0.0 255.0.0.0 [1/0] via 10.3.0.4, Inside
C        10.2.0.0 255.255.0.0 is directly connected, Management
L        10.2.0.246 255.255.255.255 is directly connected, Management
C        10.3.0.0 255.255.0.0 is directly connected, Inside
L        10.3.0.10 255.255.255.255 is directly connected, Inside

No OSPF on ASA

XENA-ASA# ping 10.2.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
XENA-ASA# ping 10.2.0.26
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.0.26, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
XENA-ASA# ping 10.3.0.4
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.3.0.4, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
XENA-ASA#

So you have a direct connection from the management interface back to your 3560 ?

Jon

Yes

Is 10.2.0.2 a loop back address?

Can you do a show ip route on the switch and copy and paste the output?

This is from the Core switch.

The 10.2.0.2 is not a loopback interface it's the vlan 1 ip address (yes, I know my bad). Working on getting off that vlan. Addresses other than 10.2.0.0/16 are actually on different vlans from a different distribution switch.

 

Gateway of last resort is 10.3.0.10 to network 0.0.0.0

S*    0.0.0.0/0 [1/0] via 10.3.0.10
      10.0.0.0/8 is variably subnetted, 24 subnets, 4 masks
C        10.2.0.0/16 is directly connected, Vlan1
L        10.2.0.2/32 is directly connected, Vlan1
C        10.3.0.0/24 is directly connected, GigabitEthernet0/21
L        10.3.0.4/32 is directly connected, GigabitEthernet0/21
O        10.3.1.0/24 [110/3] via 10.2.0.3, 00:45:33, Vlan1
O        10.3.2.0/24 [110/3] via 10.2.0.3, 00:45:33, Vlan1
O        10.3.3.0/24 [110/3] via 10.2.0.3, 00:45:33, Vlan1
O        10.3.4.0/24 [110/3] via 10.2.0.3, 00:45:33, Vlan1
O        10.3.6.0/24 [110/2] via 10.2.0.3, 00:45:33, Vlan1
C        10.4.1.0/24 is directly connected, Vlan120
L        10.4.1.1/32 is directly connected, Vlan120
C        10.4.2.0/24 is directly connected, Vlan121
L        10.4.2.1/32 is directly connected, Vlan121
O        10.5.1.4/30 [110/2] via 10.2.0.3, 00:45:33, Vlan1
O        10.5.1.8/30 [110/2] via 10.2.0.3, 00:45:33, Vlan1
D        10.8.0.0/24 [90/3072] via 10.2.0.27, 04:25:52, Vlan1
D        10.8.1.0/24 [90/3072] via 10.2.0.27, 04:25:52, Vlan1
D        10.8.2.0/24 [90/3072] via 10.2.0.3, 04:25:52, Vlan1
D        10.8.3.0/24 [90/3072] via 10.2.0.3, 04:25:52, Vlan1
D        10.8.4.0/24 [90/3072] via 10.2.0.3, 04:25:52, Vlan1
O        10.8.5.0/24 [110/2] via 10.2.0.26, 00:45:33, Vlan1
O IA     10.10.10.0/30 [110/2] via 10.2.0.60, 00:45:33, Vlan1
C        10.25.0.0/24 is directly connected, Vlan550
L        10.25.0.2/32 is directly connected, Vlan550
      172.17.0.0/24 is subnetted, 1 subnets
O E2     172.17.20.0 [110/20] via 10.2.0.60, 00:45:33, Vlan1
      172.18.0.0/24 is subnetted, 1 subnets
O E2     172.18.0.0 [110/20] via 10.2.0.60, 00:45:33, Vlan1

Stacey

This is why some people don't manage the ASA with the management interface.

What you need is for the management interface to be in a VRF so it's route wouldn't show up in the global routing table and then your ping would work.

But ASAs don't support VRFs.

You could use a separate context just for management because this would create a separate routing table as well although I have never done this as it seems like a bit of a waste of a context to me.

But that is just my opinion. 

Either way you don't want your management interface in a vlan that has clients in it anyway. If you are running a dedicated connection to the 3560 then you should have a dedicated vlan for it, or at least a dedicated management vlan which could include your switches etc.

Jon

Jon,

So if I was to create a vlan specifically for the management interface say vlan 999 and ip address of 192.168.2.0/24. Assign the management interface as 192.168.2.1 and the vlan 999 on the core as 192.168.2.2 would that resolve the issue?

Unfortunately I won't be able to create a separate context for the management interface since we need the ASA in route mode not transparent.

Thanks for all your help.

Unfortunately no it wouldn't unless you always connected from an IP in the 192.168.2.x subnet.

If you try to connect from any other IP the traffic is routed to the management interface on the ASA correctly because your 3560 has an SVI for that subnet.

But the ASA will then look at it's routing table and see the return path for that subnet ie. not a 192.168.2.x IP via the inside interface.

This was always an issue with the management interface. I haven't used the more recent ASA versions of code but it still seems to be an issue.

One solution I have used is if you can NAT all the source IPs to an IP from the 192.168.2.x subnet when going to the ASA management interface then the ASA would route the traffic back correctly but your 3560 doesn't support NAT unfortunately.

I'll  have a dig around in case there is some way of doing it with the later releases or I have missed something.

Or you could post into the Firewalling forum to see if there is a way I am not aware of.

Just for your reference you can have contexts in routing mode, you don't need to be in transparent mode for that. Although I'm still not sure it is worth it to be honest. 

Jon

Jon,

You've been of great assistance, thank you very much. I shall go troll the firewall forum now :(

 

Stacey

Stacey

No problem.

By all means link back to this post if it helps..

Hope you get a resolution.

Jon

Good day. Jon was spot on with all the routing questions.......... However, I may be mistaken, but it seems you have a subnet mask mismatch. On the ASA the 10.3.0.x is a /16, but on the switch it's a /24, and the ports are both routed and connected to each other. I don't think it's going to solve your routing issues though. All the addresses you pinged fro the ASA are directly connected via either the management interface (10.2.x.x) or the Direct link on Gi 0/21 (10.3.0.4). Do you need to manage the ASA via the Management interface? Is it a requirement?

Just to add.

Even with a dedicated vlan it doesn't really work that well.

The problem is the ASA knows about all the internal subnets except the management vlan via it's inside interface.

Which means if you try to connect internally from any other vlan then the 3560 will route the traffic to the management interface correctly but then the ASA sees a route back via the inside interface.

Jon

Sorry, I was posting at the same time.

See previous response above.

Jon

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco