06-14-2013 10:48 AM - edited 03-11-2019 06:58 PM
I have configured a lot of ASAs and now met a problem I can not even understand.
topology:
inside_device-1 ----- --------outside_router-1
|____________ transparent_ASA_pair_________|
| |
inside_device-2 ----- --------outside_router-2
- inside and outside are different vlans
- both vlans same IP subnet
- transparent ASA has BVI ip address from the same ip subnet
Outside direction works from both ASA,
- ping works back and forth (from ASA BVI to outside router physical and HSRP IPs
- physical and HSRP MACs are in the arp cache of ASA
Inside direction does not work
- no arp reply to ASA from inside direction
debug output (addresses replaced)
asa-2/internet# debug arp
debug arp enabled at level 1
asa-2/internet# ping 10.1.1.25
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.1.1.25, timeout is 2 seconds:
arp-req: generating request for 10.1.1.25 at interface outside
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105087300
arp-req: generating request for 10.1.1.25 at interface inside
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105087300
arp-req: generating request for 10.1.1.25 at interface outside
arp-req: request for 10.1.1.25 still pending
arp-req: generating request for 10.1.1.25 at interface inside
arp-req: request for 10.1.1.25 still pending
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105089030
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105089030
arp-req: generating request for 10.1.1.25 at interface outside
arp-req: request for 10.1.1.25 still pending
arp-req: generating request for 10.1.1.25 at interface inside
arp-req: request for 10.1.1.25 still pending
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105090030
arp-send: arp request built from 10.1.1.24 10f3.11ad.b5a6 for 10.1.1.25 at 105090030
No route to host 10.1.1.25
Success rate is 0 percent (0/1)
- no aro reply from ASA to inside direction
Has anyone ever met this problem?
Thanks for any help.
06-14-2013 12:59 PM
Hello Sr,
So no ARP for the inside hosts but for the outside interface we do see the ARP mapping,
Does this happen with all of the inside hosts?
What are the devices u have on the inside (Router, L3 switches running HSRP, PCs, or what)?
If u set a SPAN session on the switch between the devices do you see the Inside devices replying with an ARP reply?
Regards
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
06-14-2013 02:20 PM
Hello,
There are two ACE loadbalancers inside with hsrp - nothing else.
If the outside HSRP router peer and the ACE HSRP peer configured to the same vlan on the switch there is no problem - so the transpőarent ASA peer must be the cause.
A have configured this scenario several times with older ASA OS versions, but never experienced this problem
I will try SPAN on monday. Thanks.
The configs are double-triple checked but here they are for one ASA:
system ctx:
: Saved
:
ASA Version 9.1(2)
!
hostname xxxxxxx
domain-name xxx.xxxx
enable password xxxxxxxxxx encrypted
no mac-address auto
!
interface GigabitEthernet0/0
channel-group 1 mode active
!
interface GigabitEthernet0/1
channel-group 1 mode active
!
interface GigabitEthernet0/2
shutdown
!
interface GigabitEthernet0/3
shutdown
!
interface GigabitEthernet0/4
shutdown
!
interface GigabitEthernet0/5
shutdown
!
interface GigabitEthernet0/6
shutdown
!
interface GigabitEthernet0/7
shutdown
!
interface Management0/0
!
interface Management0/0.1
no vlan
!
interface Management0/1
shutdown
!
interface TenGigabitEthernet0/8
shutdown
!
interface TenGigabitEthernet0/9
shutdown
!
interface Port-channel1
!
interface Port-channel1.100
vlan 100
!
interface Port-channel1.101
vlan 101
!
class default
limit-resource All 0
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
pager lines 24
no failover
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
console timeout 0
!
tls-proxy maximum-session 1000
!
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
context internet
allocate-interface Port-channel1.100-Port-channel1.101
config-url disk0:/internet.cfg
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cb9df5e65ffdf8797bbebc91533c728f
: end
_______________________________________________________________________________
admin ctx:
: Saved
:
ASA Version 9.1(2)
!
firewall transparent
hostname xxxxxxxxx
domain-name xxxxx.xxx
enable password xxxxxxxxxx encrypted
names
!
interface Management0/0
management-only
nameif management
security-level 0
ip address 10.2.66.24 255.255.255.0
!
dns server-group DefaultDNS
domain-name xxxx.xxx
pager lines 24
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authorization exec LOCAL
http server enable
http 10.2.66.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
telnet 10.2.66.0 255.255.255.0 management
telnet timeout 5
ssh 10.2.66.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
username admin password cEphDisSbQ5q1TCp encrypted privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
Cryptochecksum:49898dfe99c79482a544026173b7caa0
: end
_______________________________________________________________________________
internet ctx:
: Saved
:
ASA Version 9.1(2)
!
firewall transparent
hostname internet
domain-name xxxxxxx.xxx
enable password xxxxxxxx encrypted
names
!
interface BVI1
ip address 10.1.1.24 255.255.255.0
!
interface Port-channel1.100
nameif outside
bridge-group 1
security-level 0
!
interface Port-channel1.101
nameif inside
bridge-group 1
security-level 100
!
dns server-group DefaultDNS
domain-name xxxxx.xxxxx
access-list outside_access_in extended permit ip any any
pager lines 24
mtu outside 1500
mtu inside 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside_access_in in interface outside
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
telnet timeout 5
ssh timeout 5
ssh key-exchange group dh-group1-sha1
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
Cryptochecksum:ae5fbce2502a327be74ca477c5c141fe
: end
06-14-2013 04:30 PM
Hello,
Great, keep me posted
Remember to rate all of the helpful posts.
For this community that's as important as a thanks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide