We have two new ASA's as our firewall configured in failover mode. How we connect the interfaces like the Internet to operate in that failover mode is to have a Cisco switch with a VLAN configured for each interface. Each VLAN has three ports assigned; one for each ASA connection and the other for the other end of the Interface. For example the VLAN leading to the Internet has the two ASA Internet connections and the connection to the edge router. So should one ASA fail, when the other one comes on-line we don't have to do anything to bring that connection back up.
Currently that switch is an older Cisco 2960 with a max speed settings of 100 MBPS. We are working with our ISP to put in a GB circuit and we want GB speeds from our main switch through the web filtering appliance through the ASA's and out to the new circuit. The ASA's also have a number of interfaces leading to our partners and their firewalls - all of these partner connections run at a max of 100.
To get the GB speeds we need, we purchased a new Cisco 2960-X that supports the GB speeds. We VLAN'd it off like the old one. I have made several attempts to move all of these connections and have been successful with all of the partner connections, but I am having trouble with the one on the inside that comes from our web filtering device to the ASA.
Currently all of the connections for that interface are pegged at 100/full. I initially tried setting the its VLAN on the new switch to 100 Full. I was going to move the cables, figuring that nothing would change and it should just work, then I was going to bump everything up to 1000/Full. That didn't work and it's been a month or two now so I can't remember the exact sequence of things. A consultant that we used suggested just configuring the new switch with 1000/Full, changing everything at the other end and then moving the cables. I tried that yesterday - it failed - but here is what I did and what I saw:
1. I preconfigured the new switch ports in that VLAN to be 1000/Full and then I checked it before I made the move.
2. I got a ping going to the Internet on a laptop to monitor the connection.
3. Got on the console of the ASA and changed the inside I/F to 1000/Full; did a wr men and then confirmed that the change had occurred.
4. Changed the appropriate I/F on the web filtering device which is the other end of this connection to be 1000/Full. Saved it off and confirmed that it took.
5. Moved the connections to the new switch - pings fail to come back. I wait f few minutes and still no joy.
6. I set all of the VLAN's ports to auto/auto. Pings return for about 12 pings and then disappear again not to return. I do remember noticing that the port containing the web filtering device's connection drops and then comes back up. Once up it stays up, but the drop is associated with the ping loss and when it comes back up the pings don't.
7. Tried a number of different configs with setting speeds and auto/auto and all of them present the same as above.
8. Set everything back to 1000/Full and reloaded the switch. Pings do not return.
9. Finally decided that it was better to keep the connections in the new switch so at least physically I was done with the move. So I set all settings at both ends to be 100/Full. Pings did not return.
10. Finally moved connections back to the old switch and pings return and stay up.
Obviously this is frustrating. I've in IT for years and have done some pretty complex things, and this seems so simple and I can't get it to work. Unfortunately when I do this, it takes a number of things down and so it's not something that I can just do; I need to schedule it,and I am running out of good will with the users. The next time I do this it needs to work.
Any help is appreciated.