Problem moving connections from one switch to another

We have two new ASA's as our firewall configured in failover mode. How we connect the interfaces like the Internet to operate in that failover mode is to have a Cisco switch with a VLAN configured for each interface.  Each VLAN has three ports assigned; one for each ASA connection and the other for the other end of the Interface. For example the VLAN leading to the Internet has the two ASA Internet connections and the connection to the edge router. So should one ASA fail, when the other one comes on-line we don't have to do anything to bring that connection back up.

Currently that switch is an older Cisco 2960 with a max speed settings of 100 MBPS. We are working with our ISP to put in a GB circuit and we want GB speeds from our main switch through the web filtering appliance through the ASA's and out to the new circuit. The ASA's also have a number of interfaces leading to our partners and their firewalls - all of these partner connections run at a max of 100.

To get the GB speeds we need, we purchased a new Cisco 2960-X that supports the GB speeds. We VLAN'd it off like the old one. I have made several attempts to move all of these connections and have been successful with all of the partner connections, but I am having trouble with the one on the inside that comes from our web filtering device to the ASA.

Currently all of the connections for that interface are pegged at 100/full. I initially tried setting the its VLAN on the new switch to 100 Full.  I was going to move the cables, figuring that nothing would change and it should just work, then I was going to bump everything up to 1000/Full. That didn't work and it's been a month or two now so I can't remember the exact sequence of things.  A consultant that we used suggested just configuring the new switch with 1000/Full, changing everything at the other end and then moving the cables.  I tried that yesterday - it failed - but here is what I did and what I saw:

1. I preconfigured the new switch ports in that VLAN to be 1000/Full and then I checked it before I made the move.
2. I got a ping going to the Internet on a laptop to monitor the connection.
3. Got on the console of the ASA and changed the inside I/F to 1000/Full; did a wr men and then confirmed that the change had occurred.
4. Changed the appropriate I/F on the web filtering device which is the other end of this connection to be 1000/Full. Saved it off and confirmed that it took.
5. Moved the connections to the new switch - pings fail to come back. I wait f few minutes and still no joy.
6. I set all of the VLAN's ports to auto/auto.  Pings return for about 12 pings and then disappear again not to return.  I do remember noticing that the port containing the web filtering device's connection drops and then comes back up.  Once up it stays up, but the drop is associated with the ping loss and when it comes back up the pings don't.
7. Tried a number of different configs with setting speeds and auto/auto and all of them present the same as above.
8. Set everything back to 1000/Full and reloaded the switch. Pings do not return.
9. Finally decided that it was better to keep the connections in the new switch so at least physically I was done with the move. So I set all settings at both ends to be 100/Full.  Pings did not return.
10. Finally moved connections back to the old switch and pings return and stay up.

Obviously this is frustrating. I've in IT for years and have done some pretty complex things, and this seems so simple and I can't get it to work.  Unfortunately when I do this, it takes a number of things down and so it's not something that I can just do; I need to schedule it,and I am running out of good will with the users.  The next time I do this it needs to work.

Any help is appreciated.
LVL 28
Who is Participating?

Improve company productivity with a Business Account.Sign Up

asavenerConnect With a Mentor Commented:
As a next step, I'd suggest connecting two different gigabit-capable devices to those ports, and then testing connectivity.
My experience has been that both ends of a physical connection have to be set to the same speed/duplex, unless you're using autodetection.

You should not be specifying speed/duplex at the VLAN level; you should be setting it at the interface level.
jhyieslaAuthor Commented:
Probably didn't make myself clear.  The switch is divided into discrete VLANs, but any changes that I am making as far as speed and duplex are on the ports that are a part of the VLAN.

My initial attempt was to set both ends to 1000/Full. You'd think that would just work, but no.  I did experiment with auto/auto on one end and hard coded on the other but that didn't work either. Even when I set everything back to 100/Full, it didn't work.
Turn Raw Data into a Real Career

There’s a growing demand for qualified analysts who can make sense of Big Data. With an MS in Data Analytics, you can become the data mining, management, mapping, and munging expert that today’s leading corporations desperately need.

Is this a layer three switch?  Can you add an IP address to the VLAN interface and just ping the switch, so that you can isolate which port is having the problem?
jhyieslaAuthor Commented:
No, I believe that this is just a layer 2 switch.
Can you try just changing the ASA or the web filtering device, and see if that works?

You could uplink the 2960-x to the current 2960, and then have the flexibility to just move cables back and forth between them until you find the issue....
jhyieslaAuthor Commented:
I sort of did that already; I changed the web filtering device to auto/auto, leaving the ASA connections alone. Most of the time when I make a change, the pings will return, but then about 10-12 pings into that, I see the port for the web filtering device go down and back up on the switch console and at that time the pings die and do not return.

I had tried hooking the switches together, but that didn't work; I think it has something to do with InterVLAN connectivity...but at any rate, that still doesn't buy me anything because as soon as I change speeds or disconnect a cable to move it, it obviously breaks the connection and then everything that goes through there, which is just about everything to the Internet and our partners, goes down.

I have to avoid that so always have to schedule a downtime.
jhyieslaAuthor Commented:
That's a reasonable suggestion.
jhyieslaAuthor Commented:
Well, that was kind of a bust.  I found two laptops capable of 1000/Full speeds. I set everything to auto/auto everywhere just because I wanted to make sure that I had set up the network settings right and that there was no issue talking on the ports.  That was successful.

Then I set them to 100/Full and put them in the old switch; I was able to ping without issue. Then, I left the pings running and I changed the speeds to 1000/Full, which emulated what I did in the real move attempt. Of course the pings failed. I then plugged them into the new switch into the same ports I'm working with; the ports were set to 1000/Full. After I made the move to the new switch within a few seconds the pings came back and stayed .... which is what I would expect, but never seem to get in the real world. I also tried the new switch ports with everything on both ends set to auto/auto and that also worked.

So the test seems to confirm that the ports are OK and everything works when I set it to 1000/Full, but this does not hold in my real world scenario.  About the only setting I have not tried in the real world is setting everything to auto/auto. We typically like to keep our infrastructure devices hard set to a speed instead of depending on auto negotiation.
Well, there are three additional scenarios that I would suggest testing to see if you can eliminate one machine or the other from being the culprit.

1) Keep both ends at 100/Full and attach them both to the switch.
2) Change the ASA only to 1000/Full and attach both connections to the switch.
3) Change the ASA to 100/Full, the web filter to 1000/full and attach both connections to the switch.

Depending on which of these scenarios are successful, you can make additional testing plans.
jhyieslaAuthor Commented:
I think I"m down to just setting everything to auto/auto and see what happens.  Using the laptops, I was successful at getting that to work and run at 1000/Full. If I can just get it up and working, then I think I'll try adjusting them back to 1000/Full.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.