Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
251
Views
0
Helpful
2
Replies

ASA 8.6 TRANSPARENT MODE RESETTING CONNECTION EVERY 4 HOURS

JRDIAZ758
Level 1
Level 1

‎01-14-2016 02:10 PM - edited ‎03-12-2019 12:08 AM

We have an ASA thats on our network edge connecting clients to our network. we have a L2 switch on the outside interface and a L3 on the inside which acts as a next hop for our clients. so its kinda like this:

vpn device------|  |------client ASA ---L2 switch---- ASA trans mode---- L3switch---------------| |------------my vpn device

177.5                             247..20                                                          192.168.247.1                                 229.2

this works fine as long as traffic is going inside-out. Now we are trying to setup a vpn tunnel passing thru the firewall. Tunnel comes up but after 4 hours connection drops. We are seeing the clients Isakmp/ICMP messages on both the inside and outside interface of the firewall but the L3switch seems to not be fowarding anything, after 2-3 minutes it comes back. we suspect its an ARP issue so we have tried putting a static entry in the L3 switch but that didnt work. we tried adding ARP proxy in the ASA for the clients (192.168.247.20) IP address didnt work. 

L3switch#show ip arp 
Internet 192.168.247.20 47 80e0.1d4a.2c13 ARPA Vlan150

this are   captures at the interface of the L3switch facing the inside of the firewall. (229.2 is the my VPN device, 177.5 is on clients end)

192.168.177.5 192.168.229.2   ICMP  65  Echo (ping) request  id=0x04d7, seq=52197/58827, ttl=117 (no response found!)

 a ping to my :L3switch SVI. (next hop) from the client

192.168.177.5 192.168.247.1 ICMP 65 Echo (ping) request id=0x04d7, seq=52198/59083, ttl=117 (no response found!)

this isamkp traffic intiated by me and client responds but i dont get that reply

192.168.229.2    192.168.177.5 ISAKMP 250 Identity Protection (Main Mode)
192.168.177.5      192.168.229.2 ISAKMP 170 Identity Protection (Main Mode)

this happens while other traffic flows go by unaffected

Labels:
0 Helpful
2 Replies 2

JRDIAZ758
Level 1
Level 1

‎01-14-2016 03:51 PM

ok, this is what i found. 

i tried to ping from the l2switch the L3switch SVI, i couldnt .. so 

i did a show ip arp 

Protocol Address Age (min) Hardware Addr Type Interface
Internet 192.168.247.1   170    6c41.6a1f.3106   ARPA Vlan150  (wrong)


correct ARP should be

   inside 192.168.247.1 2401.c724.4e40 485

so now the capture i did before showed that eventhou packets were supposed to arrive at IP 192.168.247.1, the mac was not the SVI's but the firewalls mac, and thats why the L3switch rejects the frames.

i did a static ARP entry in the L2switch and got the ping to work. so the firewall is messing up. how can i fix this or do i need to instruct the client to add a static ARP entry as well?

0 Helpful

JRDIAZ758
Level 1
Level 1
In response to JRDIAZ758

‎02-25-2016 09:08 AM

ok. so problem was fixed by telling the client to put a static ARP entry on his firewall. and i wont be using transparent firewalls going forward, since i could not find the cause of this. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card