topic Re: ASA cannot ping locally connected HSRP IP address in Network Security

ASA cannot ping locally connected HSRP IP address

mrshabbs — Fri, 21 Feb 2020 16:52:42 GMT

Following a recent power outage at a remote site we lost the ability to manage the asa pair through the mgmt vlan 100.

The setup at the site is an active/standby asa pair, connected to 2 x core switches via the mgmt vlan100.

Vlan100 terminates on the core switches with the respective SVI's, 172.16.100.252 & 172.16.100.253.

The cores are running hsrp and the vlan 100 virtual ip is 172.16.100.254.

The static route on the asa used for management was

S 172.16.2.0 255.255.255.192 [1/0] via 172.25.86.254, MANAGEMENT

Since the outage, from either asa it is possible to ping both svi's .252 & .253, but not the virtual IP 172.16.100.254

Therefore as a workaround we changed the static route to

S 172.16.2.0 255.255.255.192 [1/0] via 172.25.86.253, MANAGEMENT

and management was restored.

What I am trying to understand is why we can no longer ping the virtual hsrp ip address 172.25.86.254 directly from the asa. We have other devices on this vlan (i.e. firepower firewalls) and we can ping 172.25.86.254 from these devices, but not the asa's.

We have cleared the arp cache on the core switches and the asa's and we have since failed back the asa's but it still isnt possible to ping the hsrp ip 172.25.86.254 from the asa's.

f I run a debug ip icmp on either core switch I do not see any incoming packets when i issue the 'ping 172.16.100.254' from either asa.

Can anyone please offer any thoughts?

Thank you.

Re: ASA cannot ping locally connected HSRP IP address

Sheraz.Salim — Thu, 28 Feb 2019 10:10:19 GMT

my thoughts are when the power outrage happen and power restored the ASA come up online have change their role. by mean saying is asa read it flash memory/config and where ever was configured as primary or standby the role was chosen for these boxes.

Re: ASA cannot ping locally connected HSRP IP address

mrshabbs — Thu, 28 Feb 2019 10:51:51 GMT

Thanks but this doesn't explain why i cant ping a locally connected address - from either asa i can ping other addresses on the same subnet.

Re: ASA cannot ping locally connected HSRP IP address

Marvin Rhoads — Thu, 28 Feb 2019 13:01:38 GMT

I'm wondering if something is going on with the sysopt noproxyarp:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s17.html#pgfId-1572088

It may have been in place but not saved before the outage.

I would capture the traffic from the ASA when trying the ping filtering on the HSRP virtual address.

Re: ASA cannot ping locally connected HSRP IP address

mrshabbs — Fri, 01 Mar 2019 08:20:39 GMT

Hi Marvin

I have disabled proxyarp on the mgmt interface, this has made no difference.

I ran a capture on the arp traffic on the asa, if I am interpreting the output correctly then no response is being received?

432: 07:26:39.422738 00c8.8b16.da73 ffff.ffff.ffff 0x0806 Length: 42
arp who-has 172.25.100.254 tell 172.25.100.8
433: 07:26:44.422738 00c8.8b16.da73 ffff.ffff.ffff 0x0806 Length: 42
arp who-has 172.25.100.254 tell 172.25.100.8

I have run a debug arp on the core switch but I cannot see any arp requests?

Any ideas?

Cheers

Re: ASA cannot ping locally connected HSRP IP address

Marvin Rhoads — Fri, 01 Mar 2019 11:22:13 GMT

Can you give us a more complete network picture?

You mention 172.25.100.254 is what you are trying to reach. Your ASA's source address is 172.25.100.8 per the output your shared.

However in your first post you mentioned 172.25.86.254 as a gateway in your static route. How does that relate to the 172.25.100.x subnet?