Julio, I don't think the ASA sends a RST if the same-security-traffic is not enabled, I think it just silently drops the packet.

Since both the machine and ISA are on the same subnet, the ASA should not interfere with the traffic (assuming the ASA is in routed mode not transparent)...

are you matching an ASA inspection policy that has reset as action?

are you running IPS in promiscuous and using TCP resets? you might be matching one of the IPS signatures...

Patrick

Hello Patrick,

I agree with you, Traffic on the same LAN should never reach the default-gateway as this is only LAN traffic...

And also agree on the fact that not having the same-security-traffic command will not generate a reset... In fact we will see on the ASP captures on the ASA an ACL drop for that.

The client or server machines will never know about that....

Now what it confuses me is the following statement:

the packet is flooded on local switch .ASA receives the packet and sends a RST back.

What do you mean Apostolos by packet is flooded on local switch?

The only way that this could happen would be if the packet is a broadcast/multicast (without CGMP,IGMP Snooping) or an unknown unicast packet) so I would ask for more information on this

Regards

Hello jcarvaja and Patrick

Thanks for your answers.

The ISA servers are using the same mac address.

From ASA

ciscoasa/act# sh arp | i airisa      

        PARTNERS airisa1 02bf.0a3c.046e 67

        PARTNERS airisa2 02bf.0a3c.046e 515

From 6509

Koropi_6509#sh mac address-table dynamic address 02bf.0a3c.046e

Legend: * - primary entry

        age - seconds since last seen

        n/a - not available

  vlan   mac address     type    learn     age              ports

------+----------------+--------+-----+----------+--------------------------

No entries present.

Since there is no entry for this mac i suppose the switch "floods" the packet and then ASA receives the packets and send back a RST to the originating server.

As you already mentioned the same-security-traffic command is not configured on ASA.

Regarding the inspection policy that Patrick mentioned. There is inspection policy (IPS on promiscuous mode) but is not applied to this interface.

What i don't understand is why ASA is replying to a packet that is not destined for ASA (different destination  MAC/IP).

Is this normal ??

Regards

Apostolos

Since there is no entry for this mac i suppose the switch "floods" the packet and then ASA receives the packets and send back a RST to the originating server.

Agree with you, this will be an unknown unicast packet so it will be flood it across the switch ports on the same vlan.

What i don't understand is why ASA is replying to a packet that is not destined for ASA (different destination  MAC/IP).

Is this normal ??

We will need to check the NAT statements you have there because I am almost sure that there got to be a NAT statements that will create a proxy-arp rule for this traffic, that for me would be the only explanation (at least with the information provided so far)

My real question would be, why is the switch not learning the MAC address of those ISA servers?

Regards,

Julio

Hello Mashal,

i guess the switch behvaiour of not learning the the MAC is normal as it cannot learn the same MAC on two ports, probably the MAC entry keeps flapping, hence not appearing in CAM table.

On these particular scenarios we relay on Network Load Balancing.... This allows the ISA servers to masquerade the cluster MAC address on a way that each member of the ISA cluster will have a dedicated MAC address..

For further information check:

http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

Regards

Julio

Hi Julio,

will this LB setup normally lead to two MAC addresses forwarded from different switch ports ?

The ASA seems seeing the same MAC addresses via the switch:

ciscoasa/act# sh arp | i airisa      

        PARTNERS airisa1 02bf.0a3c.046e 67

        PARTNERS airisa2 02bf.0a3c.046e 515

------------------
Mashal Alshboul

Hello Mashal,

Exactly, Pointing to an issue in the deployment