ASA5585-X enabling mac-address auto no traffic passing through

runeradil · ‎07-05-2016

hello

I have a ASA5585 with multiple context. Everything is working fine, but since I am about to gather all the outside interfaces of the different interfaces into one portchannel with subinterfaces, I would like to enable mac-address auto (as it is also recommended by Cisco after 8.6 and a default setting).

But when I do enable mac-address auto, no traffic is passing through my firewall.

I can do a packettracer within the ASDM with succes (icmp and http) from inside to outside interface in one of the context.

I can ping from the cli to 8.8.8.8

I can ping from inside to the ASA, and reach it with ssh and ASDM.

I can see alot of nat translations.

I cannot reach anything on the outside from inside.

All the security context get MAC-addresses after enabling the mac-address auto (this is intentional)

Anybody have any clue or something I could look for? Somehow there dont seem to be any logging option for the system content on the ASA (is this right?).

Best regards

Rune

Kornelia Gutierrez · ‎07-19-2016

Hello Rune,

I hope you are fine, when you enable the mac address auto command, have you check the cam table of the adjacent switches to verify they have the mac that is generated, also have you placed captures on the inside and outside interface to verify if the traffic is reaching the firewall?

Best regards,

Kornelia Gutierrez

runeradil · ‎08-22-2016

Hey Kornelia

Thank you for your answer.

I did not try to check the CAM table of the adjacent switch. I will do that next time I have an opportunity to test the setup.

I will also do a Wireshark capture next time for extended information about the traffic.

I just find it strange that it is not working when I have symptoms as described.

Regards

Rune