01-14-2016 02:10 PM - edited 03-12-2019 12:08 AM
We have an ASA thats on our network edge connecting clients to our network. we have a L2 switch on the outside interface and a L3 on the inside which acts as a next hop for our clients. so its kinda like this:
vpn device------| |------client ASA ---L2 switch---- ASA trans mode---- L3switch---------------| |------------my vpn device
177.5 247..20 192.168.247.1 229.2
this works fine as long as traffic is going inside-out. Now we are trying to setup a vpn tunnel passing thru the firewall. Tunnel comes up but after 4 hours connection drops. We are seeing the clients Isakmp/ICMP messages on both the inside and outside interface of the firewall but the L3switch seems to not be fowarding anything, after 2-3 minutes it comes back. we suspect its an ARP issue so we have tried putting a static entry in the L3 switch but that didnt work. we tried adding ARP proxy in the ASA for the clients (192.168.247.20) IP address didnt work.
L3switch#show ip arp
Internet 192.168.247.20 47 80e0.1d4a.2c13 ARPA Vlan150
this are captures at the interface of the L3switch facing the inside of the firewall. (229.2 is the my VPN device, 177.5 is on clients end)
192.168.177.5 192.168.229.2 ICMP 65 Echo (ping) request id=0x04d7, seq=52197/58827, ttl=117 (no response found!)
a ping to my :L3switch SVI. (next hop) from the client
192.168.177.5 192.168.247.1 ICMP 65 Echo (ping) request id=0x04d7, seq=52198/59083, ttl=117 (no response found!)
this isamkp traffic intiated by me and client responds but i dont get that reply
192.168.229.2 192.168.177.5 ISAKMP 250 Identity Protection (Main Mode)
192.168.177.5 192.168.229.2 ISAKMP 170 Identity Protection (Main Mode)
this happens while other traffic flows go by unaffected
01-14-2016 03:51 PM
ok, this is what i found.
i tried to ping from the l2switch the L3switch SVI, i couldnt .. so
i did a show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.247.1 170 6c41.6a1f.3106 ARPA Vlan150 (wrong)
correct ARP should be
inside 192.168.247.1 2401.c724.4e40 485
so now the capture i did before showed that eventhou packets were supposed to arrive at IP 192.168.247.1, the mac was not the SVI's but the firewalls mac, and thats why the L3switch rejects the frames.
i did a static ARP entry in the L2switch and got the ping to work. so the firewall is messing up. how can i fix this or do i need to instruct the client to add a static ARP entry as well?
02-25-2016 09:08 AM
ok. so problem was fixed by telling the client to put a static ARP entry on his firewall. and i wont be using transparent firewalls going forward, since i could not find the cause of this.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide