The Problem: You’ve set up a trunk link between a Cisco ASA firewall (5505, 5510, et al) and a Cisco switch (2960, 3560, et al). However, you’re not able to establish a connection between them at either Layer 2 or 3.
If you look at the interface counters on the firewall, you may notice that you’re piling up a bunch of “L2 Decode Drops” errors. Other than that, there isn’t much evidence about what could be wrong.
The Solution: Despite what’s been said on certain other Internet forums (e.g. https://supportforums.cisco.com/thread/228428), this is not likely due to a faulty cable or a spanning-tree issue, so don’t waste your time.
The most likely cause is the native VLAN on the switch side of the trunk. Chances are, you have a sub-interface on the ASA that is supposed to route for that native VLAN. Well, when the switch sends out a frame from the native VLAN, it does NOT tag it. But if the ASA has a sub-interface for that VLAN, it expects tagged frames only for it, so communications for that particular VLAN will fail between the switch and the ASA.
Bottom line: if you have a sub-interface for a VLAN on the ASA, then it CANNOT also be used as the native VLAN on the switch’s trunk port. Any VLAN set up as such will not work. (To verify the native VLAN on your switch, use the command: show int trunk. It should be set to VLAN1 by default.)
To solve this, change the sub-interface/VLAN configuration on the ASA to avoid the switch port’s native VLAN, or just change the native VLAN on the switch to something else (example command from interface sub-config mode: switchport trunk native vlan 99).
Discussion: Cisco’s implementation of the “native VLAN” on 802.1q trunk ports is clunky. It is especially clunky because it’s not consistent across different devices made by Cisco.
More and more small and medium-sized networks are using their ASA firewalls to do inter-VLAN routing, but ASAs do not afford very much control over trunking or VLAN-related parameters. At some point, hopefully Cisco will provide a more full-featured VLAN/trunk implementation for ASAs.
As it stands now, VLAN configuration on an ASA consists of simply adding the sub-interfaces for the VLANs, which in turn automatically enables 802.1q trunking on the physical port, and that’s that. If you want to have a so-called “native VLAN” on the ASA, you must assign the corresponding IP address to the physical interface, and cannot add a separate sub-interface for that VLAN. Since all Cisco switches have an explicit “native vlan” command, it would make sense to have a corresponding command that could be assigned to one of the ASA sub-interfaces. (Or maybe just get rid of native VLANs altogether, but that discussion will have to wait until another day!)
To Learn More: http://braini.ac/courses/network-training/cisco-ccent-ccna-comptia-ipv6-engineering.html