I have this weird issue with an ASA firewall that appears to be bridging a server's mac address into the other vlan that is enabled in the context.

the asa is 20 gig connected via port-channel to a nexus 7010. The Vcs server i have that is running through this is having its h323 outbound calls break whenever the TCP h245 media negotiation occurs. the 3-way handshake does not complete.

This appeared to break when we added another set of vlans in the context. It appears the ASA is bridging the TCP connection (and only this tcp connection) to the other vlan. Does anyone have any idea why this is the behavior?

On the nexus 7k the mac table will normally look like this:

* 422      0010.f321.8eb4    dynamic   0          F    F  Po112 (before fw)

* 522      0010.f321.8eb4    dynamic   0          F    F  Po99 (after fw)

this is nice and stable.....However when this call attempt is made this happens:

* 422 0010.f321.8eb4 dynamic 0 F F Po112
* 430 0010.f321.8eb4 dynamic 210 F F Po112
* 522 0010.f321.8eb4 dynamic 0 F F Po99

the vlan 430 entry immediately starts to age out.... until another call attempt is made.

I've looked at the ASA config(not an ASA expert), and the switch configuration and i have seen no mis-configuration that would cause something like this.

The show conn on the ASA during the call:

TCP outside430: y.y.y.y/15373(destination) (y.y.y.y/15373) inside522: x.x.x.x(source)/15031 (x.x.x.x/15031), flags saA , idle 0s, uptime 9s, timeout 30s, bytes 0 This is the broken TCP connection
TCP outside430: y.y.y.y/15373 (y.y.y.y/15373) inside522: 267.x.1.20/0 (x.x.x.x/0), flags i , idle 9s, uptime 9s, timeout -, bytes 0
TCP outside422: y.y.y.y/1720 (y.y.y.y/1720) inside522: 267.x.1.20/15030 (x.x.x.x/15030), flags UIOh , idle 0s, uptime 12s, timeout 1h0m, bytes 3095
UDP outside422: y.y.y.y/1719 (y.y.y.y/1719) inside522: x.x.x.x/1719 (x.x.x.x/1719), flags H , idle 13s, uptime 12m35s, timeout 5m0s, bytes 2740