Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1503
Views
5
Helpful
5
Replies

ASA cannot ping locally connected HSRP IP address

mrshabbs
Level 1
Level 1

‎02-28-2019 01:41 AM - edited ‎02-21-2020 08:52 AM

Following a recent power outage at a remote site we lost the ability to manage the asa pair through the mgmt vlan 100.

The setup at the site is an active/standby asa pair, connected to 2 x core switches via the mgmt vlan100.

Vlan100 terminates on the core switches with the respective SVI's, 172.16.100.252 & 172.16.100.253.

The cores are running hsrp and the vlan 100 virtual ip is 172.16.100.254.

 

The static route on the asa used for management was

S 172.16.2.0 255.255.255.192 [1/0] via 172.25.86.254, MANAGEMENT

 

Since the outage, from either asa it is possible to ping both svi's .252 & .253, but not the virtual IP 172.16.100.254

Therefore as a workaround we changed the static route to

S 172.16.2.0 255.255.255.192 [1/0] via 172.25.86.253, MANAGEMENT

and management was restored.

 

What I am trying to understand is why we can no longer ping the virtual hsrp ip address 172.25.86.254 directly from the asa. We have other devices on this vlan (i.e. firepower firewalls) and we can ping  172.25.86.254 from these devices, but not the asa's. 

We have cleared the arp cache on the core switches and the asa's and we have since failed back the asa's but it still isnt possible to ping the hsrp ip  172.25.86.254  from the asa's.

I

f I run a debug ip icmp on either core switch I do not see any incoming packets when i issue the 'ping 172.16.100.254' from either asa.

 

Can anyone please offer any thoughts?

Thank you.

 

0 Helpful
5 Replies 5

Sheraz.Salim
VIP
VIP

‎02-28-2019 02:10 AM

my thoughts are when the power outrage happen and power restored the ASA come up online have change their role. by mean saying is asa read it flash memory/config and where ever was configured as primary or standby the role was chosen for these boxes. 

 

 

please do not forget to rate.
0 Helpful

mrshabbs
Level 1
Level 1
In response to Sheraz.Salim

‎02-28-2019 02:51 AM

Thanks but this doesn't explain why i cant ping a locally connected address - from either asa i can ping other addresses on the same subnet.
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-28-2019 05:01 AM

I'm wondering if something is going on with the sysopt noproxyarp:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s17.html#pgfId-1572088

It may have been in place but not saved before the outage.

I would capture the traffic from the ASA when trying the ping filtering on the HSRP virtual address.

 

 

 

mrshabbs
Level 1
Level 1
In response to Marvin Rhoads

‎03-01-2019 12:20 AM

Hi Marvin

I have disabled proxyarp on the mgmt interface, this has made no difference.

 

I ran a capture on the arp traffic on the asa, if I am interpreting the output correctly then no response is being received? 

 

432: 07:26:39.422738 00c8.8b16.da73 ffff.ffff.ffff 0x0806 Length: 42
arp who-has 172.25.100.254 tell 172.25.100.8
433: 07:26:44.422738 00c8.8b16.da73 ffff.ffff.ffff 0x0806 Length: 42
arp who-has 172.25.100.254 tell 172.25.100.8

I have run a debug arp on the core switch but I cannot see any arp requests?

 

Any ideas?

 

Cheers

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mrshabbs

‎03-01-2019 03:22 AM

Can you give us a more complete network picture?

You mention 172.25.100.254 is what you are trying to reach. Your ASA's source address is 172.25.100.8 per the output your shared.

However in your first post you mentioned 172.25.86.254 as a gateway in your static route. How does that relate to the 172.25.100.x subnet?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card