Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
555
Views
0
Helpful
4
Replies

ASA5510 Active/Standby Primary won't allow dns response

slunney
Level 1
Level 1

‎09-23-2009 04:32 AM - edited ‎03-11-2019 09:18 AM

Our 5510 switched to the standby unit 2 weeks ago, and since then, I have not been able to get the primary back online. The configs are identical line for line however when the primary is put back into service, dns requests from the internl servers are allowed out, but no reponses ever come back to them. When I switch back to the failover unit evreything works. I have flushed router caches, rebooted the dns servers and all connected internal and external routers, and even tried swapping ports and cables, but no luck. Does anyone have any ideas on what I might try next?

Thanks,

Steve...

Labels:
0 Helpful
4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

‎09-23-2009 08:09 AM

Steve, very strange issue specially having identical asa configurations - what I would try doing during non-production hours is to bring back your primary fw unit back into active - look at your ASDM real time logs see if you can spot any relevant information for DNS while trying to access internet from a machine.. something should come up in the logs.

Jorge Rodriguez
0 Helpful

slunney
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎09-23-2009 09:09 AM

I have actually done that already, with a packet capture inbound and outbound. I looked at them in Wireshark and the only difference between the working Standby traffic and the non-working Primary traffic is that the dns queries never get a response packet on the Primary. There are no errors being reported in the log. The connection gets created and allowed and then a few minutes later gets torn down. On the Failover unit the response connection is, if not the next packet recieved, only a couple away in log entries. Could the base IOS have gotten corupted somehow? This one has me stumped.

Thanks,

Steve...

0 Helpful

charrellc011699
Level 1
Level 1
In response to slunney

‎09-28-2009 12:46 PM

sounds very ARPy. You have stated that you have cleared router caches, reloaded, etc - where are the DNS servers in relation to the ASA? I think you may have to take packet captures closer to the DNS server, rather than taking captures directly on the ASA - I suspect you will see ARP requests 1) not making it to the primary ASA -or- 2) the primary ASA not responding to ARP requests (for whatever reason).

0 Helpful

slunney
Level 1
Level 1
In response to charrellc011699

‎09-29-2009 02:41 AM

I unpatched and repatched every connection, and shut it all down again and this time it worked when it all came back up. I would have liked to have figured out the cause in case it happens again, but it's working now, so i'm moving on.

Thanks guys.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card