Showing results for 
Search instead for 
Did you mean: 

ASA-5525x traffic behavior question

So I made an unfortunate blunder in my migration plan - letting support lapse prior to project closure. It was an important line item missed when the migration project timeline was extended. That said, I'm having a weird issue that I can't figure out. We have a HA pair of 5525s working perfectly except one small quirk - traffic to the inside interface is blocked, by rule, on the primary but the same traffic CAN hit the secondary inside interface. This traffic is generated by a Qualys scanner combing for vulnerabilities and this is the last piece of the PCI compliance (these are our firewalls for PCI segmentation at the data center level.

I could use some guidance - I know I'm missing something, probably simple, but it's got me rather puzzled at the moment.

2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

I want to be sure that I am understanding correctly what is going on. You have a pair of 5525 doing HA active/standby. When the primary is active then some traffic from Qualys scanner to the inside interface is blocked. If there is a failover event and the secondary is active then this traffic from Qualys scanner is permitted. That is certainly strange. Where is this traffic coming from? Outside interface? DMZ interface? something else? A starting point in investigating this would be to post the current running config. If there are public IP addresses I suggest that you change the leading octet(s) (10, 172.16, 192.168) depending on class A, class B, class C so that we have some sense of the network relationships.




It doesn't necessarily have to involve a failover event. Even in it's secondary/passive state the inside interface responds to the Qualys scan. Example:

Qaulys Box @ executes a scan targeting CDE segment zones @ The inside interface of the primary/active firewall would be while the standby/secondary is @ passes the scan, all scan attempts blocked. fails the scan, allowing traffic to pass.

Configuration is identical, sync'd properly via HA.

Failing over results in the same issue - still blocks traffic (secondary as active now) while (primary as passive) allows it. All other traffic follows the expected ACL path and is properly processed.

I've attached a sanitized copy of the configuration and a quick (re: ugly) map. Black lines mark the "overall" data paths. Red is blocked traffic, green is (of course) allowed

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: