topic ASA Cluster Transparent Mode Dst MAC L2 Lookup Failed in Network Security

ASA Cluster Transparent Mode Dst MAC L2 Lookup Failed

Eugen Bitca — Fri, 21 Feb 2020 16:24:20 GMT

Hello,

Cluster Transparent Mode (2 units), only 1-2 flows to the same destination host are successful, all others fail.

If I remove a unit from cluster (anyone), everything is OK.

When I add a unit to the cluster, cluster is OK and healthy, but only 1-2 connections are OK.

Logs on firewall show a lot of connection with unknown destination:

Oct 27 2018 19:45:03 DRC-FW3 : %ASA-6-302023: Teardown stub TCP connection for inside324:10.44.32.201/80 to unknown:172.22.4.230/50814 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow

Also from asp show command I have a lot of: "Destination MAC L2 Lookup Failed"

What might be the problem with the cluster?

Thank you

Re: ASA Cluster Transparent Mode Dst MAC L2 Lookup Failed

balaji.bandi — Sat, 27 Oct 2018 21:43:27 GMT

if possible post both the ASA configuration and also output of below commands :

what is the the models of both the units.

show version
show arp-inspection
show mac-address-table

do you have any network topology ?

Re: ASA Cluster Transparent Mode Dst MAC L2 Lookup Failed

Eugen Bitca — Sun, 28 Oct 2018 05:06:39 GMT

Hello,

DRC-FW3/DRCFW-3(config)# cluster exec show version | i Version
DRCFW-3(LOCAL):*******************************************************
Cisco Adaptive Security Appliance Software Version 9.8(3)14
Firepower Extensible Operating System Version 2.2(2.107)
Device Manager Version 7.7(1)151
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

DRCFW-4:**************************************************************
Cisco Adaptive Security Appliance Software Version 9.8(3)14
Firepower Extensible Operating System Version 2.2(2.107)
Device Manager Version 7.7(1)151
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
DRC-FW3/DRCFW-3(config)#

DRC-FW3/DRCFW-3(config)# sh arp-inspection
interface                arp-inspection         miss
----------------------------------------------------
mgmt                     disabled                -
outside124            disabled                -
inside324              disabled                -

DRC-FW3/DRCFW-3(config)# sh arp
        outside124 10.44.32.2 188b.9da8.407f    207       //SVI on Core-S3
        outside124 10.44.32.3 188b.9da8.3f7f    6080       //SVI on COre-S4
        inside324 10.44.32.201 00c0.b7ff.0899    515       //Testing Host
        cluster 10.150.255.18 188b.9d1a.f650    10838

DRC-FW3/DRCFW-3(config)# show mac-address-table
interface                  mac address          type       Age(min)    bridge-group
----------------------------------------------------------------------------------------------------
outside124                 188b.9da8.3f7f        dynamic      4           1
outside124                 188b.9da8.407f        dynamic      5           1
inside324                  00c0.b7ff.0899        dynamic      3           1
DRC-FW3/DRCFW-3(config)#

Thank you