Solved

site to site VPN issues with vlans...

Posted on 2015-02-06
4
266 Views
Last Modified: 2015-02-09
okay, so we are having trouble routing traffic between two of our vlans across our site vpn.

overview:

both sites have a cisco asa 5505,
both sites have an hp switch 2910 / 2920 poe with vlan1 for data and a vlan20 for voice,

we are able to route across each vlan locally and across the vpn, apart from vlans 20 to 20.

The switch configs are virtually the same working as a L3 switch, and sending all traffic to the firewall.

Our managed firewall company are saying they can ping each vlan20 from the firewall and pointing the finger at the switches.  im not so sure..

here is the 2 site switch configs:

Running configuration:

; J9148A Configuration Editor; Created on release #W.15.08.0012
; Ver #02:11.05:16
hostname "HP-E2910al-48G-PoE"
module 1 type j9148a
mirror-port 5
power-over-ethernet pre-std-detect
qos type-of-service diff-services
timesync sntp
sntp unicast
sntp server priority 1 87.124.126.49
sntp server priority 2 178.79.165.21
time timezone 60
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip authorized-managers 192.168.200.0 255.255.255.0 access manager
ip default-gateway 172.19.10.15
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 172.19.10.15
ip routing
interface 1
   name "to HP1910 (top)"
   no power-over-ethernet
   exit
interface 2
   name "tp HP1910 (bottom)"
   no power-over-ethernet
   exit
interface 3
   name "to ASA 5505 fe01"
   no power-over-ethernet
   exit
interface 4
   name "Cisco_AP_172.19.3.20"
   exit
interface 5
   no power-over-ethernet
   exit
interface 6
   no power-over-ethernet
   exit
interface 7
   name "Shoretel E1k"
   speed-duplex 100-full
   exit
interface 8
   name "Shoretel SG90"
   speed-duplex 100-full
   exit
interface 9
   name "Shoretel SG90Bri"
   speed-duplex 100-full
   exit
interface 10
   name "chi-Oaisys"
   exit
interface 11
   name "Shoretel HQ"
   exit
interface 12
   name "Ingate"
   exit
interface 19
   name "Test Phone"
   exit
interface 21
   name ""
   exit
interface 25
   name ""
   exit
interface 31
   name ""
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
vlan 1
   name "DEFAULT_VLAN"
   no untagged 7-48
   untagged 1-6
   ip address 172.19.4.5 255.255.0.0
   exit
vlan 20
   name "Voice"
   untagged 7-12
   tagged 13-48
   ip address 172.16.4.5 255.255.0.0
   ip helper-address 172.19.10.17
   ip helper-address 172.19.10.18
   qos dscp 101110
   voice
   exit
no autorun
password manager

----------------------------------

Running configuration:

; J9727A Configuration Editor; Created on release #WB.15.12.0015
; Ver #05:18.41.ff.35.0d:9b

hostname "HP-2920-24G-PoEP-Bristol"
module 1 type j9727a
qos type-of-service diff-services
timesync sntp
sntp unicast
sntp server priority 1 85.119.80.233
sntp server priority 2 87.124.126.49
ip authorized-managers 172.19.0.0 255.255.0.0 access manager
ip authorized-managers 192.168.2.0 255.255.255.0 access manager
ip authorized-managers 172.16.0.0 255.255.0.0 access manager
ip authorized-managers 10.255.255.0 255.255.255.128 access manager
ip authorized-managers 192.168.3.0 255.255.255.0 access manager
ip authorized-managers 10.255.254.0 255.255.255.128 access manager
ip authorized-managers 192.168.100.0 255.255.255.0 access manager
ip authorized-managers 192.168.200.0 255.255.255.0 access manager
ip default-gateway 192.168.2.1
no ip icmp redirects
ip route 0.0.0.0 0.0.0.0 192.168.2.1
ip routing
interface 1
   name "to ASA 5505 fe01"
   exit
interface 3
   name "Phoenix LAN"
   exit
interface 24
   name "Shoretel Phone"
   exit
snmp-server community "public" unrestricted
snmp-server contact "IT"
oobm
   ip address dhcp-bootp
   exit
vlan 1
   name "DEFAULT_VLAN"
   no untagged 21-24
   untagged 1-20,A1-A2,B1-B2
   ip address 192.168.2.4 255.255.255.0
   exit
vlan 20
   name "Voice"
   untagged 21-24
   ip address 192.168.200.4 255.255.255.0
   ip helper-address 192.168.2.17
   ip helper-address 192.168.2.22
   qos dscp 101110
   voice
   exit
no tftp server
no autorun
no dhcp config-file-update
no dhcp image-file-update
password manager


ideas why this is failing?

thanks
0
Comment
Question by:CHI-LTD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 57

Assisted Solution

by:Pete Long
Pete Long earned 500 total points
ID: 40593340
>>Our managed firewall company are saying they can ping each vlan20 from the firewall and pointing the finger at the switches.  im not so sure..

Fair enough, setup management-access on the VLAN 20 interface, if thay can ping each other then your firewall company are correct, if not then the problem may be on the switches.

Without looking all thought the HP configs is VLAN (20) 'Tagged' onto the firewall uplink?
(Assuming Vlan 1 is 'Untagged' on the same uplink, which would be the default)

Pete
0
 
LVL 1

Author Comment

by:CHI-LTD
ID: 40593348
it now seems to be miraculously working..
guess they will tell me what the fix was..?
0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
ID: 40594433
0
 
LVL 1

Author Closing Comment

by:CHI-LTD
ID: 40597996
not BT but manage company
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to set-up an On Demand, IPSec, Site to SIte, VPN from a Draytek Vigor Router to a Cyberoam UTM Appliance. A concise guide to the settings required on both devices
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …

688 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question