topic Intra context communication using a shared interface not working on ASA 8.2.5 in Network Security https://community.cisco.com/t5/network-security/intra-context-communication-using-a-shared-interface-not-working/m-p/1779632#M533897 <P>Hi all,</P><P></P><P>I was hoping someone could help me with this problem, I have a pair of ASAs in multiple context mode and in a failover configuration, the contexts share a "internet" interface which they use to go outside the world and also in the case one natted server from one context wants to talk to other natted&nbsp; server in another context. This intra-context traffic has always work.</P><P>However we have recently upgraded from version 8.2.2 to version 8.2.5, since then, communication between the contexts using the shared interface is not working.</P><P></P><P>This is sample of the configuration</P><P></P><P>CONTEXT-ADMIN</P><P></P><P>interface GigabitEthernet0/2.1</P><P> mac-address 0016.001f.e251 standby 0016.001f.e252</P><P> nameif internet</P><P> security-level 0</P><P> ip address X.Y.Z.2 255.255.255.0 standby X.Y.Z.252 </P><P>!</P><P></P><P>CONTEXT-CTX1</P><P></P><P>interface GigabitEthernet0/2.1</P><P> mac-address 0016.001f.e241 standby 0016.001f.e242</P><P> nameif internet</P><P> security-level 0</P><P> ip address X.Y.Z.241 255.255.255.0 standby X.Y.Z.242 </P><P>!</P><P></P><P>as you can see, since this is a shared interface we set the mac-address of the interfaces, however with this version (8.2.5) it seems that one context can't see natted IPs from other contexts. For example I have natted a server on the CTX1 context with the public IP X.Y.Z.43, but from the ADMIN context I just can't see this IP, if I issue the show arp | i X.Y.Z.43 command, it gives me nothing. I also issue a capture command on the ADMIN context and I didnt see any traffic coming from the IP X.Y.Z.43 </P><P></P><P>If I remove the mac-address command from both of the context, I also get no results, now I can see on the ARP tables the natted IPs of the other contexts, but It seem that the traffic gets stuck somewhere in the middle.</P><P></P><P>I'm pretty sure this could be because of a bug, I have downgrade one of the firewalls and make it the ACTIVE one, this solve the problem. BUT I really would like to know if someone has face this issue and in what version this could be fixed.</P> Mon, 11 Mar 2019 21:09:41 GMT hector.ricapa 2019-03-11T21:09:41Z Intra context communication using a shared interface not working on ASA 8.2.5 https://community.cisco.com/t5/network-security/intra-context-communication-using-a-shared-interface-not-working/m-p/1779632#M533897 <P>Hi all,</P><P></P><P>I was hoping someone could help me with this problem, I have a pair of ASAs in multiple context mode and in a failover configuration, the contexts share a "internet" interface which they use to go outside the world and also in the case one natted server from one context wants to talk to other natted&nbsp; server in another context. This intra-context traffic has always work.</P><P>However we have recently upgraded from version 8.2.2 to version 8.2.5, since then, communication between the contexts using the shared interface is not working.</P><P></P><P>This is sample of the configuration</P><P></P><P>CONTEXT-ADMIN</P><P></P><P>interface GigabitEthernet0/2.1</P><P> mac-address 0016.001f.e251 standby 0016.001f.e252</P><P> nameif internet</P><P> security-level 0</P><P> ip address X.Y.Z.2 255.255.255.0 standby X.Y.Z.252 </P><P>!</P><P></P><P>CONTEXT-CTX1</P><P></P><P>interface GigabitEthernet0/2.1</P><P> mac-address 0016.001f.e241 standby 0016.001f.e242</P><P> nameif internet</P><P> security-level 0</P><P> ip address X.Y.Z.241 255.255.255.0 standby X.Y.Z.242 </P><P>!</P><P></P><P>as you can see, since this is a shared interface we set the mac-address of the interfaces, however with this version (8.2.5) it seems that one context can't see natted IPs from other contexts. For example I have natted a server on the CTX1 context with the public IP X.Y.Z.43, but from the ADMIN context I just can't see this IP, if I issue the show arp | i X.Y.Z.43 command, it gives me nothing. I also issue a capture command on the ADMIN context and I didnt see any traffic coming from the IP X.Y.Z.43 </P><P></P><P>If I remove the mac-address command from both of the context, I also get no results, now I can see on the ARP tables the natted IPs of the other contexts, but It seem that the traffic gets stuck somewhere in the middle.</P><P></P><P>I'm pretty sure this could be because of a bug, I have downgrade one of the firewalls and make it the ACTIVE one, this solve the problem. BUT I really would like to know if someone has face this issue and in what version this could be fixed.</P> Mon, 11 Mar 2019 21:09:41 GMT https://community.cisco.com/t5/network-security/intra-context-communication-using-a-shared-interface-not-working/m-p/1779632#M533897 hector.ricapa 2019-03-11T21:09:41Z Intra context communication using a shared interface not working https://community.cisco.com/t5/network-security/intra-context-communication-using-a-shared-interface-not-working/m-p/1779633#M533899 <HTML><HEAD></HEAD><BODY><P>Hi Hector,</P><P></P><P>This is an interesting situation. You said downgrading to the older version fixes the issue? Can you paste the output of <STRONG>show run all sysopt</STRONG> from both the contexts? I assume that the server has a 1:1 static NAT and not a port redirection correct?</P><P></P><P>Instead of giving the interface different mac addresses, have you tried using the command <STRONG>mac-address auto</STRONG> in the system mode and see if it affects anything?</P><P></P><P>Regards,</P><P>Prapanch</P></BODY></HTML> Tue, 23 Aug 2011 19:04:05 GMT https://community.cisco.com/t5/network-security/intra-context-communication-using-a-shared-interface-not-working/m-p/1779633#M533899 praprama 2011-08-23T19:04:05Z