02-27-2013 06:26 AM - edited 03-11-2019 06:06 PM
We have the following setup on our Cisco ASA version 8.6.1
One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients
on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node
from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover.
So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node
is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.
My question is there any setting apart from dropping the cache timeout from the default 4 hours to fix this issue?
02-27-2013 06:30 AM
Hi,
Ive only had this problem (or rahter a customer) where this seemed to be a constant problem.
I configured the firewall arp timeout to the minimum of 60 seconds and that was the end of it.
"arp timeout 60"
Not sure if its the best way but did fix that particular issue.
- Jouni
02-28-2013 01:14 PM
Thanks for the info but is there any other settings on the ASA that could resolve this as the network
team is concern about impact on the resources of the ASA to clear the mac table every 60 seconds?
02-28-2013 01:20 PM
Hi,
I cant give you a definitive answer ofcourse but I highly doubt this can cause problems. I would imagine it might become an issue if Cisco had permitted even lower timer value for the ARP timeout.
What model ASA are we talking about? Is it the L3 gateway for every host on the network (with multiple Vlans perhaps)?
Since it has link networks to some core router it naturally doesnt see anything else with ARP other than the next hop per interface.
Even our device doesnt probably give a good comparison as we were using a FWSM Security Context. But again I highly doubt this settings effect on performance unless there is a huge amount of hosts visible to the ASA directly.
- Jouni
02-28-2013 02:29 PM
Hi
It 's the Cisco 5515 model in HA -Active -Standby. Only have 2 vlans and all the hosts have the VRRP address as the gateway set and a default route to the firewall from the Juniper switches.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide