Solved

Problem moving connections from one switch to another

Posted on 2014-04-02
11
269 Views
Last Modified: 2014-04-15
We have two new ASA's as our firewall configured in failover mode. How we connect the interfaces like the Internet to operate in that failover mode is to have a Cisco switch with a VLAN configured for each interface.  Each VLAN has three ports assigned; one for each ASA connection and the other for the other end of the Interface. For example the VLAN leading to the Internet has the two ASA Internet connections and the connection to the edge router. So should one ASA fail, when the other one comes on-line we don't have to do anything to bring that connection back up.

Currently that switch is an older Cisco 2960 with a max speed settings of 100 MBPS. We are working with our ISP to put in a GB circuit and we want GB speeds from our main switch through the web filtering appliance through the ASA's and out to the new circuit. The ASA's also have a number of interfaces leading to our partners and their firewalls - all of these partner connections run at a max of 100.

To get the GB speeds we need, we purchased a new Cisco 2960-X that supports the GB speeds. We VLAN'd it off like the old one. I have made several attempts to move all of these connections and have been successful with all of the partner connections, but I am having trouble with the one on the inside that comes from our web filtering device to the ASA.

Currently all of the connections for that interface are pegged at 100/full. I initially tried setting the its VLAN on the new switch to 100 Full.  I was going to move the cables, figuring that nothing would change and it should just work, then I was going to bump everything up to 1000/Full. That didn't work and it's been a month or two now so I can't remember the exact sequence of things.  A consultant that we used suggested just configuring the new switch with 1000/Full, changing everything at the other end and then moving the cables.  I tried that yesterday - it failed - but here is what I did and what I saw:

1. I preconfigured the new switch ports in that VLAN to be 1000/Full and then I checked it before I made the move.
2. I got a ping going to the Internet on a laptop to monitor the connection.
3. Got on the console of the ASA and changed the inside I/F to 1000/Full; did a wr men and then confirmed that the change had occurred.
4. Changed the appropriate I/F on the web filtering device which is the other end of this connection to be 1000/Full. Saved it off and confirmed that it took.
5. Moved the connections to the new switch - pings fail to come back. I wait f few minutes and still no joy.
6. I set all of the VLAN's ports to auto/auto.  Pings return for about 12 pings and then disappear again not to return.  I do remember noticing that the port containing the web filtering device's connection drops and then comes back up.  Once up it stays up, but the drop is associated with the ping loss and when it comes back up the pings don't.
7. Tried a number of different configs with setting speeds and auto/auto and all of them present the same as above.
8. Set everything back to 1000/Full and reloaded the switch. Pings do not return.
9. Finally decided that it was better to keep the connections in the new switch so at least physically I was done with the move. So I set all settings at both ends to be 100/Full.  Pings did not return.
10. Finally moved connections back to the old switch and pings return and stay up.


Obviously this is frustrating. I've in IT for years and have done some pretty complex things, and this seems so simple and I can't get it to work.  Unfortunately when I do this, it takes a number of things down and so it's not something that I can just do; I need to schedule it,and I am running out of good will with the users.  The next time I do this it needs to work.

Any help is appreciated.
0
Comment
Question by:jhyiesla
  • 6
  • 5
11 Comments
 
LVL 28

Expert Comment

by:asavener
ID: 39973141
My experience has been that both ends of a physical connection have to be set to the same speed/duplex, unless you're using autodetection.

You should not be specifying speed/duplex at the VLAN level; you should be setting it at the interface level.
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 39974703
Probably didn't make myself clear.  The switch is divided into discrete VLANs, but any changes that I am making as far as speed and duplex are on the ports that are a part of the VLAN.

My initial attempt was to set both ends to 1000/Full. You'd think that would just work, but no.  I did experiment with auto/auto on one end and hard coded on the other but that didn't work either. Even when I set everything back to 100/Full, it didn't work.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39974793
Is this a layer three switch?  Can you add an IP address to the VLAN interface and just ping the switch, so that you can isolate which port is having the problem?
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 39974806
No, I believe that this is just a layer 2 switch.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39974853
Can you try just changing the ASA or the web filtering device, and see if that works?

You could uplink the 2960-x to the current 2960, and then have the flexibility to just move cables back and forth between them until you find the issue....
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 28

Author Comment

by:jhyiesla
ID: 39974934
I sort of did that already; I changed the web filtering device to auto/auto, leaving the ASA connections alone. Most of the time when I make a change, the pings will return, but then about 10-12 pings into that, I see the port for the web filtering device go down and back up on the switch console and at that time the pings die and do not return.

I had tried hooking the switches together, but that didn't work; I think it has something to do with InterVLAN connectivity...but at any rate, that still doesn't buy me anything because as soon as I change speeds or disconnect a cable to move it, it obviously breaks the connection and then everything that goes through there, which is just about everything to the Internet and our partners, goes down.

I have to avoid that so always have to schedule a downtime.
0
 
LVL 28

Accepted Solution

by:
asavener earned 500 total points
ID: 39974965
As a next step, I'd suggest connecting two different gigabit-capable devices to those ports, and then testing connectivity.
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 39975107
That's a reasonable suggestion.
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 39978797
Well, that was kind of a bust.  I found two laptops capable of 1000/Full speeds. I set everything to auto/auto everywhere just because I wanted to make sure that I had set up the network settings right and that there was no issue talking on the ports.  That was successful.

Then I set them to 100/Full and put them in the old switch; I was able to ping without issue. Then, I left the pings running and I changed the speeds to 1000/Full, which emulated what I did in the real move attempt. Of course the pings failed. I then plugged them into the new switch into the same ports I'm working with; the ports were set to 1000/Full. After I made the move to the new switch within a few seconds the pings came back and stayed .... which is what I would expect, but never seem to get in the real world. I also tried the new switch ports with everything on both ends set to auto/auto and that also worked.

So the test seems to confirm that the ports are OK and everything works when I set it to 1000/Full, but this does not hold in my real world scenario.  About the only setting I have not tried in the real world is setting everything to auto/auto. We typically like to keep our infrastructure devices hard set to a speed instead of depending on auto negotiation.
0
 
LVL 28

Expert Comment

by:asavener
ID: 39979053
Well, there are three additional scenarios that I would suggest testing to see if you can eliminate one machine or the other from being the culprit.

1) Keep both ends at 100/Full and attach them both to the switch.
2) Change the ASA only to 1000/Full and attach both connections to the switch.
3) Change the ASA to 100/Full, the web filter to 1000/full and attach both connections to the switch.

Depending on which of these scenarios are successful, you can make additional testing plans.
0
 
LVL 28

Author Comment

by:jhyiesla
ID: 40001914
I think I"m down to just setting everything to auto/auto and see what happens.  Using the laptops, I was successful at getting that to work and run at 1000/Full. If I can just get it up and working, then I think I'll try adjusting them back to 1000/Full.
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
VLAN question 7 46
Not able to route between subnets 8 52
Read-only SNMP string example ? 7 34
traffic flow without STP 9 20
When posting a question about a Cisco ASA, Cisco Router or Cisco Switch, it can aid diagnosis if a suitably sanitised copy of the config is provided. It is much better to leave as much of the configuration as original as possible, as it could be tha…
Before I go to far, let's explain HA (High Availability) and why you should consider it.  High availability is the mechanism used to provide redundancy to any service at the same site and appears as a single service to the users of that service.  As…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now