cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1037
Views
0
Helpful
2
Replies
Highlighted

Cisco ASA Failover

Good morning all,

we are seeing some funny behavior with our ASA's. Its a 5545 and we have numerous static NAT rules setup. the issue seems to be that when the ASA fails over the internal hosts that have the static NAT rules enabled for lose connectivity. I see the traffic hit the firewall and it gets translated but no replied come in. If i change the NAT rule for a different outside IP it then works again. on the switch which the outside interface connects to if i get the arp cache cleared the NAT rule works again.

interestingly, the default dynamic NAT entry works fine its just affecting the static entries.  proxy-arp is enabled on all static NAT rules

any thoughts?

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
VIP Advocate

I think this just might be a behavior of how the ASA handles Gratuitous ARP for Failover. As of today, the ASA only sends a GARP for its own ip address but not the other public ip address in the outside range. What happens most of the time is that the next hop device does not know that the ASA's have switched over and keeps sending the packets to the now standby ASA. Only when the arp cache expires, does the next-hop router/switch send a request again, which now will be responded correctly by the active ASA.

The enhancement to fix this is still open from what it looks like:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsy85614

Proxy-ARP wont help here as the next-hop router never sends an ARP request till the cache expires. 

Hope this helps.

View solution in original post

2 REPLIES 2
Highlighted
VIP Advocate

I think this just might be a behavior of how the ASA handles Gratuitous ARP for Failover. As of today, the ASA only sends a GARP for its own ip address but not the other public ip address in the outside range. What happens most of the time is that the next hop device does not know that the ASA's have switched over and keeps sending the packets to the now standby ASA. Only when the arp cache expires, does the next-hop router/switch send a request again, which now will be responded correctly by the active ASA.

The enhancement to fix this is still open from what it looks like:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsy85614

Proxy-ARP wont help here as the next-hop router never sends an ARP request till the cache expires. 

Hope this helps.

View solution in original post

Highlighted

Good morning Rahul,

Thanks for that. ill keep an eye on that enhancement as I would thought that feature would be implemented. also, it thought the secondary also took on the MAC address and IP assigned to the failed over unit so in theory the ARP-Table would still look okay and just the CAM table would need updating which the gratuitous ARP would handle

Thanks

Content for Community-Ad