cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
906
Views
0
Helpful
4
Replies

ASA behavior when plugging it under load

oncpicsu2010
Level 1
Level 1

Hello,

maybe the title is not very clear, but I'll try to describe my problem here.

Currently we have a PIX 515e as our entry point. Our ISP give us an ethernet link that we plug in the Ethernet 0 port. In the Ethernet 1 port we plug a cable to our switch. We have a bunch of public IPs which are NATed by the PIX, for example, the IP 194.76.163.58 is our public IP, which is NATed to the inside server 192.168.192.58.

Recently we bought an ASA 5510. I exported the config of the PIX, and run the commands in the ASA. The ASA is still using version 7.0 so the commands are compatible (except for some but those are not a problem).

I tested the ASA using a laptop plugged in the outside interface, and a desktop plugged in the inside interface, there the NAT is working.

As we cannot take down the production PIX, not even the night, what we are trying to do is pre configure the ASA, take the ISP ethernet cable, plug it in the outside interface from the ASA, and take the cable from the switch then plug it in the inside interface.

The thing is when I do this, there is no traffic passing through, and the real-time log viewer in the ASDM isn't helping me, it only shows a lot of "Deny TCP (no connection) from *** to ***/80 flags FIN ACK on interface outside", but if I'm not mistaken these are normal since the ASA has no idea of the connections managed by the PIX.

Maybe there is nothing I'm missing in the configuration of the ASA, but I'm wondering, isn't it possible that the ASA take some time to handle all the connections ? We have approximatively 4000 HTTP connections passing through every 10 seconds.

Thanks in advance.

4 Replies 4

Jennifer Halim
Cisco Employee
Cisco Employee

There will definitely be no hot swapable from your PIX firewall to ASA firewall. Existing connection from the PIX firewall will definitely be broken after moving it to the ASA firewall. First of all, MAC address of all the neighbouring devices needs to be cleard because if you are configuring exactly the same ip addresses, then it needs to refresh the ARP entries before it can pass traffic again. All the existing connections from the PIX firewall will break as there is no stateful failover from your PIX firewall to the ASA firewall. All traffic needs to be reinitiated once it has been migrated to the ASA firewall, plus "clear arp" needs to be issued on all devices which are connected to the ASA interfaces, so they get the new ARP entry with the correct MAC address of the ASA.

In summary, you would need to organise for a down time.

Thanks for the answer, I didn't thought of the ARP entries problem. The broken connections are not a problem.

Well I think I'm going to try and change the arp cache timeout on the servers, to something like 5s.

If I understand your post correctly after all arp caches are cleared, it should work ?

Not just on the servers.  "clear arp" needs to be issued on all adjacent layer 3 devices around the firewall.  Either that or when you are ready turn the PIX off and turn the ASA back on. When the ASA comes up it will send grat arp and all the layer 3 devices will update their arp table.

Read my blog here on proxy arp vs grat arp here : https://supportforums.cisco.com/community/netpro/security/firewall/blog/2010/10/27/asapix-proxy-arp-vs-gratuitous-arp

-KS

Thanks, but that's not my problem after all. I clear all arp caches, it didn't work.

My problem now is something else, I got a lot of frame drops because of "No route to host", which is really strange.

But that's another topic.

Review Cisco Networking for a $25 gift card