02-02-2022 06:27 AM
I have a ASA-5516 connected to two Juniper SRX 345 Firewalls. I set them up initially connected through an unmanaged netgear switch at my desk, the IPSEC tunnels and VPN all worked correctly. However, once I put them in our Test-Bed and had to connect them through 3 Cisco 2960 switches it will not work. I can not ping to the physical interfaces across the switches. The ASA-5516 I used port 8 and then created 2 sub-interfaces 8.1 and 8.2. On the Juniper SRX 345s I used port port 7. I allowed all the vlans across the switches, but not able to communicate between the firewalls. I've attached the port configurations for all devices.
Any help will be appreciated.
Solved! Go to Solution.
02-03-2022 09:44 AM - edited 02-03-2022 09:47 AM
I am not familiar with Juniper SRX devices but it looks like you are using tagging and you have configured the switch ports as access ports.
I would have thought they should be trunk ports or don't use vlan tagging ?
Jon
02-03-2022 11:49 AM
When looking at the local switch, I noticed the port connected to the SRX was not displaying vlan 500. I did some more research. I had to make the Juniper SRX ports access ports and use an IRB interface and disable vlan-tagging like you just suggested. Below are changes I made. Also I had to make some changes for the VPN portion for everything to come back online again. I think making the switchports trunks may have worked as well. I may try that another day. Thank you!
ge-0/0/7 {
description Phy_Lnk_to_ASA;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members ASA;
vlans {
ASA {
vlan-id 500;
l3-interface irb.500;
}
irb {
unit 500 {
family inet {
address 10.50.10.1/30;
}
02-02-2022 07:00 AM - edited 02-02-2022 07:02 AM
you mean to say, before cisco switches between, dumb hub work as expected, after cisco switch introuced its not working ?
have you created the VLAN 500 and 550
Can you post below information from both the switches : ( make sure switches configured VTP in transparent mode).
show vlan
show interface trunk
show spanning brief
show vtp status
Try switch side ;
switchport trunk encapsulation dot1q
ASA side try :
interface GigabitEthernet1/8.1
encapsulation dot1q 500 - respected interface
interface GigabitEthernet1/8.2
encapsulation dot1q 550 - respected interface
02-02-2022 07:36 AM
Yes, that correct the "dumb-switch" everything worked but once I used the cisco sw it stopped working.
I have verified that the switch is in transparent mode. It will take me some time to get show commands you asked for, anything specific you are looking for?
I don't think the ASA-5516x lets you run the below command. My understanding is that the ASA automatically trunks once you create sub interfaces.
interface GigabitEthernet1/8.1
encapsulation dot1q 500 - respected interface
02-02-2022 08:43 AM
post below from both the switches.
show vlan
show interface trunk
show spanning brief
show vtp status
02-02-2022 08:48 AM
Hello,
the fastest way to resolve this is probably to configure an unused interface on the Cisco Remote switch like this:
interface GigabitEthernet1/0/15
switchport mode access
switchport access vlan 500
exit
interface GigabitEthernet1/0/15
switchport mode access
switchport access vlan 550
exit
This will automatically create both Vlans on that switch.
02-02-2022 09:50 AM
The VLANs are already created. However, I tried it anyway and still no luck.
02-02-2022 10:00 AM
Hello,
post the running configurations of the three switches, maybe we can spot something...
02-02-2022 11:26 AM
I am trying to understand something from the original post. If the connections were through an unmanaged switch, how did it have 2 vlans?
02-03-2022 06:50 AM
The vlans are created on the ASA and Juniper SRX. My best guess is the netgear switch ignores the vlan tag and just pushes the traffic.
ASA
interface GigabitEthernet1/8
no nameif
no security-level
no ip address
!
interface GigabitEthernet1/8.1
vlan 500
nameif outside_pri
security-level 0
ip address 10.50.10.2 255.255.255.252
!
Juniper SRX
ge-0/0/7 {
description Phy_Lnk_to_ASA;
vlan-tagging;
unit 0 {
vlan-id 500;
family inet {
address 10.50.10.1/30;
02-03-2022 09:44 AM - edited 02-03-2022 09:47 AM
I am not familiar with Juniper SRX devices but it looks like you are using tagging and you have configured the switch ports as access ports.
I would have thought they should be trunk ports or don't use vlan tagging ?
Jon
02-03-2022 11:49 AM
When looking at the local switch, I noticed the port connected to the SRX was not displaying vlan 500. I did some more research. I had to make the Juniper SRX ports access ports and use an IRB interface and disable vlan-tagging like you just suggested. Below are changes I made. Also I had to make some changes for the VPN portion for everything to come back online again. I think making the switchports trunks may have worked as well. I may try that another day. Thank you!
ge-0/0/7 {
description Phy_Lnk_to_ASA;
unit 0 {
family ethernet-switching {
interface-mode access;
vlan {
members ASA;
vlans {
ASA {
vlan-id 500;
l3-interface irb.500;
}
irb {
unit 500 {
family inet {
address 10.50.10.1/30;
}
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide