Solved: Re: Unable to ping across 2960 switches

ahsan.ayub@ngc.com · ‎02-02-2022

I have a ASA-5516 connected to two Juniper SRX 345 Firewalls. I set them up initially connected through an unmanaged netgear switch at my desk, the IPSEC tunnels and VPN all worked correctly. However, once I put them in our Test-Bed and had to connect them through 3 Cisco 2960 switches it will not work. I can not ping to the physical interfaces across the switches. The ASA-5516 I used port 8 and then created 2 sub-interfaces 8.1 and 8.2. On the Juniper SRX 345s I used port port 7. I allowed all the vlans across the switches, but not able to communicate between the firewalls. I've attached the port configurations for all devices.

Any help will be appreciated.

Jon Marshall · ‎02-03-2022

I am not familiar with Juniper SRX devices but it looks like you are using tagging and you have configured the switch ports as access ports.

I would have thought they should be trunk ports or don't use vlan tagging ?

Jon

View solution in original post

ahsan.ayub@ngc.com · ‎02-03-2022

When looking at the local switch, I noticed the port connected to the SRX was not displaying vlan 500. I did some more research. I had to make the Juniper SRX ports access ports and use an IRB interface and disable vlan-tagging like you just suggested. Below are changes I made. Also I had to make some changes for the VPN portion for everything to come back online again. I think making the switchports trunks may have worked as well. I may try that another day. Thank you!

ge-0/0/7 {
description Phy_Lnk_to_ASA;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members ASA;

vlans {
ASA {
vlan-id 500;
l3-interface irb.500;
}

irb {
unit 500 {
family inet {
address 10.50.10.1/30;
}

View solution in original post

balaji.bandi · ‎02-02-2022

you mean to say, before cisco switches between, dumb hub work as expected, after cisco switch introuced its not working ?

have you created the VLAN 500 and 550

Can you post below information from both the switches : ( make sure switches configured VTP in transparent mode).

show vlan

show interface trunk

show spanning brief

show vtp status

Try switch side ;

switchport trunk encapsulation dot1q

ASA side try :

interface GigabitEthernet1/8.1

encapsulation dot1q 500 - respected interface

interface GigabitEthernet1/8.2

encapsulation dot1q 550 - respected interface

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

ahsan.ayub@ngc.com · ‎02-02-2022

Yes, that correct the "dumb-switch" everything worked but once I used the cisco sw it stopped working.

I have verified that the switch is in transparent mode. It will take me some time to get show commands you asked for, anything specific you are looking for?

I don't think the ASA-5516x lets you run the below command. My understanding is that the ASA automatically trunks once you create sub interfaces.

interface GigabitEthernet1/8.1

encapsulation dot1q 500 - respected interface

balaji.bandi · ‎02-02-2022

post below from both the switches.

show vlan

show interface trunk

show spanning brief

show vtp status

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Georg Pauwen · ‎02-02-2022

Hello,

the fastest way to resolve this is probably to configure an unused interface on the Cisco Remote switch like this:

interface GigabitEthernet1/0/15
switchport mode access
switchport access vlan 500
exit
interface GigabitEthernet1/0/15
switchport mode access
switchport access vlan 550
exit

This will automatically create both Vlans on that switch.

ahsan.ayub@ngc.com · ‎02-02-2022

The VLANs are already created. However, I tried it anyway and still no luck.

Georg Pauwen · ‎02-02-2022

Hello,

post the running configurations of the three switches, maybe we can spot something...

Richard Burts · ‎02-02-2022

I am trying to understand something from the original post. If the connections were through an unmanaged switch, how did it have 2 vlans?

HTH

Rick

ahsan.ayub@ngc.com · ‎02-03-2022

The vlans are created on the ASA and Juniper SRX. My best guess is the netgear switch ignores the vlan tag and just pushes the traffic.

ASA

interface GigabitEthernet1/8

no nameif

no security-level

no ip address

!

interface GigabitEthernet1/8.1

vlan 500

nameif outside_pri

security-level 0

ip address 10.50.10.2 255.255.255.252

!

Juniper SRX

ge-0/0/7 {

description Phy_Lnk_to_ASA;

vlan-tagging;

unit 0 {

vlan-id 500;

family inet {

address 10.50.10.1/30;

Jon Marshall · ‎02-03-2022

I am not familiar with Juniper SRX devices but it looks like you are using tagging and you have configured the switch ports as access ports.

I would have thought they should be trunk ports or don't use vlan tagging ?

Jon

ahsan.ayub@ngc.com · ‎02-03-2022

When looking at the local switch, I noticed the port connected to the SRX was not displaying vlan 500. I did some more research. I had to make the Juniper SRX ports access ports and use an IRB interface and disable vlan-tagging like you just suggested. Below are changes I made. Also I had to make some changes for the VPN portion for everything to come back online again. I think making the switchports trunks may have worked as well. I may try that another day. Thank you!

ge-0/0/7 {
description Phy_Lnk_to_ASA;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members ASA;

vlans {
ASA {
vlan-id 500;
l3-interface irb.500;
}

irb {
unit 500 {
family inet {
address 10.50.10.1/30;
}