07-05-2016 11:00 AM - edited 03-12-2019 12:59 AM
hello
I have a ASA5585 with multiple context. Everything is working fine, but since I am about to gather all the outside interfaces of the different interfaces into one portchannel with subinterfaces, I would like to enable mac-address auto (as it is also recommended by Cisco after 8.6 and a default setting).
But when I do enable mac-address auto, no traffic is passing through my firewall.
I can do a packettracer within the ASDM with succes (icmp and http) from inside to outside interface in one of the context.
I can ping from the cli to 8.8.8.8
I can ping from inside to the ASA, and reach it with ssh and ASDM.
I can see alot of nat translations.
I cannot reach anything on the outside from inside.
All the security context get MAC-addresses after enabling the mac-address auto (this is intentional)
Anybody have any clue or something I could look for? Somehow there dont seem to be any logging option for the system content on the ASA (is this right?).
Best regards
Rune
07-19-2016 08:49 AM
Hello Rune,
I hope you are fine, when you enable the mac address auto command, have you check the cam table of the adjacent switches to verify they have the mac that is generated, also have you placed captures on the inside and outside interface to verify if the traffic is reaching the firewall?
Best regards,
Kornelia Gutierrez
08-22-2016 01:04 AM
Hey Kornelia
Thank you for your answer.
I did not try to check the CAM table of the adjacent switch. I will do that next time I have an opportunity to test the setup.
I will also do a Wireshark capture next time for extended information about the traffic.
I just find it strange that it is not working when I have symptoms as described.
Regards
Rune
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide