08-16-2013 07:04 AM - edited 03-11-2019 07:26 PM
I have the above setup. ASA is is Active/Standby mode. From the NMS box i am able to ping the managment interface of the primary ASA 10.52.190.1 but from the NMS i am not able to ping the standby ASA's IP 10.52.190.2. From the primary i can ping the standby and from NMS i can also ping the switch (.3).
I added a route on the ASA :-
route management 172.18.9.6 255.255.255.255 10.52.190.1
With that i could ping from NMS box to the standby ASA (.2) (and the switch) but could not ping the primary ASA (.1)
Is there a way i can get (ping) the standby without causing netowork issues?
Solved! Go to Solution.
09-19-2013 01:02 PM
Hello,
Sorry for the late respond, is the issue still happening? If so, please collect the captures but this time with the detail option at the end so we can see the MAC addresses, example:
show cap test detail
Regards,
Juan Lombana
08-16-2013 09:09 AM
Do you have an inside L3 switch or router that also connects the management network? If you do, the easiest way is to put a /32 route on the FW inside interface to go via that device. I believe otherwise the failover cluster gets confused about how to symmetrically route the traffic to/from the VPN to the standby management address as the inbound traffic wants to use the connected management subnet directly.
08-19-2013 01:42 AM
Hi, Thanks for the response. I did try your suggestion but its the same outcome as mentioned in my issue.
08-16-2013 09:13 AM
The same way you can get/ping the primary unit should be the same way to get to the secondary box. Get a capture on teh standby unit in order to verify if the ASa itself receives the packets from the NMS device, capture below:
capture test interface management match icmp host 172.18.9.6 host 10.52.190.2
Once you have the above capture you can try a ping from NMS server and issue the "show cap test" command, you can share the results wiht us.
08-19-2013 01:51 AM
Here you go:
cc-nd4-asa5550# sh capture test
12 packets captured
1: 09:45:48.520786 172.18.25.65 > 10.52.190.2: icmp: echo request
2: 09:45:49.520770 172.18.25.65 > 10.52.190.2: icmp: echo request
3: 09:45:50.520877 172.18.25.65 > 10.52.190.2: icmp: echo request
4: 09:47:42.283096 172.18.25.65 > 10.52.190.2: icmp: echo request
5: 09:47:43.283432 172.18.25.65 > 10.52.190.2: icmp: echo request
6: 09:47:44.283508 172.18.25.65 > 10.52.190.2: icmp: echo request
7: 09:48:19.309035 172.18.25.65 > 10.52.190.2: icmp: echo request
8: 09:48:20.308562 172.18.25.65 > 10.52.190.2: icmp: echo request
9: 09:48:23.725884 172.18.25.65 > 10.52.190.4: icmp: echo request
10: 09:48:23.726387 10.52.190.4 > 172.18.25.65: icmp: echo reply
11: 09:48:24.726952 172.18.25.65 > 10.52.190.4: icmp: echo request
12: 09:48:24.727455 10.52.190.4 > 172.18.25.65: icmp: echo reply
12 packets shown
Note: 172.18.25.65 is the IP of the NMS server and .4 is the switch (not as labeled in the diagram)
08-29-2013 05:41 AM
Hi julomban , can you think of anything that might help me?
09-19-2013 01:02 PM
Hello,
Sorry for the late respond, is the issue still happening? If so, please collect the captures but this time with the detail option at the end so we can see the MAC addresses, example:
show cap test detail
Regards,
Juan Lombana
09-20-2013 03:41 AM
Hi,
Thanks for replying. I clicked on Correct answer by mistake.
See below:
cc-nd4-asa5550# sh cap test detail
7 packets captured
1: 11:40:19.700021 001d.a2af.381f 001d.a2af.380b 0x0800 98: 172.18.25.65 > 10.52.190.2: icmp: echo request (DF) (ttl 62, id 0)
2: 11:40:20.699823 001d.a2af.381f 001d.a2af.380b 0x0800 98: 172.18.25.65 > 10.52.190.2: icmp: echo request (DF) (ttl 62, id 0)
3: 11:40:21.699670 001d.a2af.381f 001d.a2af.380b 0x0800 98: 172.18.25.65 > 10.52.190.2: icmp: echo request (DF) (ttl 62, id 0)
4: 11:40:37.494435 001d.a2af.381f 30f7.0dd2.3b42 0x0800 98: 172.18.25.65 > 10.52.190.4: icmp: echo request (DF) (ttl 62, id 0)
5: 11:40:37.495000 30f7.0dd2.3b42 001d.a2af.381f 0x0800 98: 10.52.190.4 > 172.18.25.65: icmp: echo reply (DF) (ttl 255, id 0)
6: 11:40:38.494633 001d.a2af.381f 30f7.0dd2.3b42 0x0800 98: 172.18.25.65 > 10.52.190.4: icmp: echo request (DF) (ttl 62, id 0)
7: 11:40:38.495442 30f7.0dd2.3b42 001d.a2af.381f 0x0800 98: 10.52.190.4 > 172.18.25.65: icmp: echo reply (DF) (ttl 255, id 0)
7 packets shown
cc-nd4-asa5550#
09-20-2013 04:57 AM
Can you confirm the following MAC address:
001d.a2af.380b
It must be from the standby ASA, I see the echo request from your server and the last packet is a echo reply, it seems like the ASA is responding your request.
Regards,
Juan Lombana
09-23-2013 11:36 AM
Thanks for the respnse.
Yes the MAC is 001d.a2af.380b.
The last response you are refering to is the response from the switch 10.52.190.4 and not the ASA which is .2.
The first 3 are the echo requests destined for the ASA.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide