Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
932
Views
0
Helpful
4
Replies

Cisco ASA NAT to Exchange 2010 cluster

davidmalan
Level 1
Level 1

‎02-27-2013 06:26 AM - edited ‎03-11-2019 06:06 PM

We have the following setup on our Cisco ASA version 8.6.1

 

One to one NAT rule from outside to our Exchange 2010 cluster IP address (DAG group). This is working fine for clients

on the internet accessing their emails via Exchange using their phones. The ASA has the MAC address of the active node

from the cluster but when the cluster failover it cache the IP address and are not updating the new MAC when the cluster failover.

 

So users from the outside are unable to connect to the new node from outside the ASA as the MAC address from the passive node

is in the MAC table. The MAC address on all the switches update within 2 seconds on the internal network and users don't notice any outage.

My question is there any setting apart from dropping the cache timeout from the default 4 hours to fix this issue?

Labels:
0 Helpful
4 Replies 4

Jouni Forss
VIP Alumni
VIP Alumni

‎02-27-2013 06:30 AM

Hi,

Ive only had this problem (or rahter a customer) where this seemed to be a constant problem.

I configured the firewall arp timeout to the minimum of 60 seconds and that was the end of it.

"arp timeout 60"

Not sure if its the best way but did fix that particular issue.

- Jouni

0 Helpful

davidmalan
Level 1
Level 1

‎02-28-2013 01:14 PM

Thanks for the info but is there any other settings on the ASA that could resolve this as the network

team is concern about impact on the resources of the ASA to clear the mac table every 60 seconds?

0 Helpful

Jouni Forss
VIP Alumni
VIP Alumni
In response to davidmalan

‎02-28-2013 01:20 PM

Hi,

I cant give you a definitive answer ofcourse but I highly doubt this can cause problems. I would imagine it might become an issue if Cisco had permitted even lower timer value for the ARP timeout.

What model ASA are we talking about? Is it the L3 gateway for every host on the network (with multiple Vlans perhaps)?

Since it has link networks to some core router it naturally doesnt see anything else with ARP other than the next hop per interface.

Even our device doesnt probably give a good comparison as we were using a FWSM Security Context. But again I highly doubt this settings effect on performance unless there is a huge amount of hosts visible to the ASA directly.

- Jouni

0 Helpful

davidmalan
Level 1
Level 1
In response to Jouni Forss

‎02-28-2013 02:29 PM

Hi

It 's the Cisco 5515 model in HA -Active -Standby. Only have 2 vlans and all the hosts have the VRRP address as the gateway set and a default route to the firewall from the Juniper switches.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card