ā05-16-2012 01:17 AM - edited ā03-11-2019 04:07 PM
Hi
We have the following setup:
A catalyst6500 12.2(33)SXI6 with a FWSM 3.2(18) and an ASA5585 8.4.3(9) connected, plus the same a second time with HSRP on the catalyst and Active/Standby on both firewalls.
The FWSM and ASA have both several Contextes configured, all in transparent mode. Each Context has a Bridge Group configured with two vlans, on the firewall called inside and outside.
Since we have some first Context on the new ASA we have some short outages of all network traffic a few times a day. After searching through the firewall logs, I discovered at exactly that time an Event 412001 with the mac address of the SVI of the Catalyst. This always takes 30 seconds on the ASA. First the mac is moved from outside (where it should be) to inside and then after 30 seconds back to outside.
After I've found that, I also checked the FWSM logs and actually also found this error. The only difference was that the FWSM takes under 1 second to move the mac twice. Thus the users and systems doesn't register this issue.
I'm open for ideas now. I've tried now to set the mac-address-table timeout to 720 minutes on the ASA, just to see if that helps.
Some other information:
- the SVI on the Cat exist only for the outside (it's HSRP IP is the clients primary gateway)
- the SVI is in this example 1140
- the outside on the ASA is bound to vlan 1140, the inside to vlan 140
- vlan 1140 is only known to the Catalyst in the rest of the network
Here an output of the catalyst:
6509R-1250#sh mac add | inc 0000.0c07.ac00 !!!!!!!output filtered for only vlan 140 and 1140, Po100 is the connection to ASA
140 0000.0c07.ac00 dynamic Yes 5 Po100
* 1140 0000.0c07.ac00 static No - Router
Anybody any ideas?
I hope I didn't forget anything....
Thanks,
Patrick
ā05-31-2012 07:17 AM
"Shameless" bump of my message.
I've checked the STP topology changes in the mean time. They are much more rare the the 412001 events.
ā07-24-2012 07:52 AM
Still having the issue, TAC case now open. Might be hitting http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr38739&Submit=Search, but not sure yet. Received now release ASA 841-52, as a downgrade (from 8.4.3 to 8.4.2) did not fix it.
Also removing HSRP did not help (we run VSS now, which again shares the same MAC address on all it's SVIs).
It seems to happen more often if we have a lot of STP changes. We use PV-RSTP.
Will keep you updated.
ā07-24-2012 01:53 PM
May be some captures on the ASA and see what packets are coming for that MAC address on the wrong interface ???
cheers.
Mohammad .
ā07-24-2012 11:37 PM
Is there a way to make a capture based on mac address?
Because it happens only 0-4 times a day and has otherwise a lot of traffic.
ā12-07-2015 03:36 PM
I've seen your post which dated 4yrs back.. have you actually solved this problem whith Cisco?
Rgds
bonn
ā01-04-2016 01:10 AM
Hi Bonn
No not really solved. The workaround we have implemented is to add the mac address, of the virtual interface on the catalyst, manually on the outside interface of each context on the firewall.
Patrick
ā07-28-2012 01:29 AM
Hi Bro
Yes, there is a way to capture MAC Addresses in a Cisco FW.
Example
access-list TEST permit ip host 1.1.1.1 host 2.2.2.2
access-list TEST permit ip host 2.2.2.2 host 1.1.1.1
capture TEST access-list TEST in interface inside
show capture TEST detail
The keyword "detail" will display more information for each packet - like src dst mac address, ttl, ip id. For more information on this, please refer to this Cisco document https://supportforums.cisco.com/docs/DOC-17814
P/S: if you think this comment is helpful, please do rate them nicely :-)
ā08-06-2012 05:06 AM
Ok, that is what I feared. I fear it's some kind of broadcast/multicast traffic that leads to this problem. But so far no solution other than the workaround.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: