We have the following setup:
A catalyst6500 12.2(33)SXI6 with a FWSM 3.2(18) and an ASA5585 8.4.3(9) connected, plus the same a second time with HSRP on the catalyst and Active/Standby on both firewalls.
The FWSM and ASA have both several Contextes configured, all in transparent mode. Each Context has a Bridge Group configured with two vlans, on the firewall called inside and outside.
Since we have some first Context on the new ASA we have some short outages of all network traffic a few times a day. After searching through the firewall logs, I discovered at exactly that time an Event 412001 with the mac address of the SVI of the Catalyst. This always takes 30 seconds on the ASA. First the mac is moved from outside (where it should be) to inside and then after 30 seconds back to outside.
After I've found that, I also checked the FWSM logs and actually also found this error. The only difference was that the FWSM takes under 1 second to move the mac twice. Thus the users and systems doesn't register this issue.
I'm open for ideas now. I've tried now to set the mac-address-table timeout to 720 minutes on the ASA, just to see if that helps.
Some other information:
- the SVI on the Cat exist only for the outside (it's HSRP IP is the clients primary gateway)
- the SVI is in this example 1140
- the outside on the ASA is bound to vlan 1140, the inside to vlan 140
- vlan 1140 is only known to the Catalyst in the rest of the network
Here an output of the catalyst:
6509R-1250#sh mac add | inc 0000.0c07.ac00 !!!!!!!output filtered for only vlan 140 and 1140, Po100 is the connection to ASA
140 0000.0c07.ac00 dynamic Yes 5 Po100
* 1140 0000.0c07.ac00 static No - Router
Anybody any ideas?
I hope I didn't forget anything....
"Shameless" bump of my message.
I've checked the STP topology changes in the mean time. They are much more rare the the 412001 events.
Still having the issue, TAC case now open. Might be hitting http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr38739&Submit=Search, but not sure yet. Received now release ASA 841-52, as a downgrade (from 8.4.3 to 8.4.2) did not fix it.
Also removing HSRP did not help (we run VSS now, which again shares the same MAC address on all it's SVIs).
It seems to happen more often if we have a lot of STP changes. We use PV-RSTP.
Will keep you updated.
May be some captures on the ASA and see what packets are coming for that MAC address on the wrong interface ???
Is there a way to make a capture based on mac address?
Because it happens only 0-4 times a day and has otherwise a lot of traffic.
No not really solved. The workaround we have implemented is to add the mac address, of the virtual interface on the catalyst, manually on the outside interface of each context on the firewall.
Yes, there is a way to capture MAC Addresses in a Cisco FW.
access-list TEST permit ip host 220.127.116.11 host 18.104.22.168
access-list TEST permit ip host 22.214.171.124 host 126.96.36.199
capture TEST access-list TEST in interface inside
show capture TEST detail
The keyword "detail" will display more information for each packet - like src dst mac address, ttl, ip id. For more information on this, please refer to this Cisco document https://supportforums.cisco.com/docs/DOC-17814
P/S: if you think this comment is helpful, please do rate them nicely :-)
Ok, that is what I feared. I fear it's some kind of broadcast/multicast traffic that leads to this problem. But so far no solution other than the workaround.