Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1799
Views
0
Helpful
2
Replies

ASA Cluster Transparent Mode Dst MAC L2 Lookup Failed

Eugen Bitca
Level 1
Level 1

‎10-27-2018 10:25 AM - edited ‎02-21-2020 08:24 AM

Hello,

 

Cluster Transparent Mode (2 units), only 1-2 flows to the same destination host are successful, all others fail.

If I remove a unit from cluster (anyone), everything is OK.

When I add a unit to the cluster, cluster is OK and healthy, but only 1-2 connections are OK.


Logs on firewall show a lot of connection with unknown destination:

Oct 27 2018 19:45:03 DRC-FW3 : %ASA-6-302023: Teardown stub TCP connection for inside324:10.44.32.201/80 to unknown:172.22.4.230/50814 duration 0:00:00 forwarded bytes 0 Forwarding or redirect flow removed to create director or backup flow

 

Also from asp show command I have a lot of: "Destination MAC L2 Lookup Failed"

What might be the problem with the cluster?

 

Thank you

Labels:
0 Helpful
2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame

‎10-27-2018 02:43 PM

if possible post both the ASA configuration and also output of below commands :

 

what is the the models of both the units.

show version
show arp-inspection
show mac-address-table

 

do you have any network topology ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Eugen Bitca
Level 1
Level 1
In response to balaji.bandi

‎10-27-2018 10:06 PM

Hello,

 

DRC-FW3/DRCFW-3(config)# cluster exec show version | i Version
DRCFW-3(LOCAL):*******************************************************
Cisco Adaptive Security Appliance Software Version 9.8(3)14
Firepower Extensible Operating System Version 2.2(2.107)
Device Manager Version 7.7(1)151
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4

DRCFW-4:**************************************************************
Cisco Adaptive Security Appliance Software Version 9.8(3)14
Firepower Extensible Operating System Version 2.2(2.107)
Device Manager Version 7.7(1)151
Baseboard Management Controller (revision 0x1) Firmware Version: 2.4
DRC-FW3/DRCFW-3(config)#

DRC-FW3/DRCFW-3(config)# sh arp-inspection
interface                arp-inspection         miss
----------------------------------------------------
mgmt                     disabled                -
outside124            disabled                -
inside324              disabled                -

DRC-FW3/DRCFW-3(config)#  sh arp
        outside124 10.44.32.2 188b.9da8.407f     207        //SVI on Core-S3
        outside124 10.44.32.3 188b.9da8.3f7f     6080        //SVI on COre-S4
        inside324 10.44.32.201 00c0.b7ff.0899     515        //Testing Host
        cluster 10.150.255.18 188b.9d1a.f650     10838

DRC-FW3/DRCFW-3(config)# show mac-address-table
interface                  mac  address          type       Age(min)    bridge-group
----------------------------------------------------------------------------------------------------
outside124                 188b.9da8.3f7f        dynamic      4           1
outside124                 188b.9da8.407f        dynamic      5           1
inside324                  00c0.b7ff.0899        dynamic      3           1
DRC-FW3/DRCFW-3(config)#  

Thank you

Preview file
4 KB
Preview file
87 KB
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card