05-30-2017 03:42 AM - edited 03-12-2019 02:26 AM
Good morning all,
we are seeing some funny behavior with our ASA's. Its a 5545 and we have numerous static NAT rules setup. the issue seems to be that when the ASA fails over the internal hosts that have the static NAT rules enabled for lose connectivity. I see the traffic hit the firewall and it gets translated but no replied come in. If i change the NAT rule for a different outside IP it then works again. on the switch which the outside interface connects to if i get the arp cache cleared the NAT rule works again.
interestingly, the default dynamic NAT entry works fine its just affecting the static entries. proxy-arp is enabled on all static NAT rules
any thoughts?
Solved! Go to Solution.
05-30-2017 04:00 PM
I think this just might be a behavior of how the ASA handles Gratuitous ARP for Failover. As of today, the ASA only sends a GARP for its own ip address but not the other public ip address in the outside range. What happens most of the time is that the next hop device does not know that the ASA's have switched over and keeps sending the packets to the now standby ASA. Only when the arp cache expires, does the next-hop router/switch send a request again, which now will be responded correctly by the active ASA.
The enhancement to fix this is still open from what it looks like:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsy85614
Proxy-ARP wont help here as the next-hop router never sends an ARP request till the cache expires.
Hope this helps.
05-30-2017 04:00 PM
I think this just might be a behavior of how the ASA handles Gratuitous ARP for Failover. As of today, the ASA only sends a GARP for its own ip address but not the other public ip address in the outside range. What happens most of the time is that the next hop device does not know that the ASA's have switched over and keeps sending the packets to the now standby ASA. Only when the arp cache expires, does the next-hop router/switch send a request again, which now will be responded correctly by the active ASA.
The enhancement to fix this is still open from what it looks like:
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsy85614
Proxy-ARP wont help here as the next-hop router never sends an ARP request till the cache expires.
Hope this helps.
05-31-2017 02:03 AM
Good morning Rahul,
Thanks for that. ill keep an eye on that enhancement as I would thought that feature would be implemented. also, it thought the secondary also took on the MAC address and IP assigned to the failed over unit so in theory the ARP-Table would still look okay and just the CAM table would need updating which the gratuitous ARP would handle
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide