Solved: Re: ASA HA Secondary not participating in ARP

Chad Parish · ‎05-25-2018

When I ping my HA secondary ASA from my core, which is our gateway, I get ping rsponces not from that ASA but from our other core switch.

(NOTE, both cores use HSRP with a standby IP 10.7.150.1)

CORE02# ping 10.7.150.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.7.150.7, timeout is 2 seconds:

Reply to request 0 from core03.magnetar.com (10.7.150.3), 1 ms

Reply to request 1 from core03.magnetar.com (10.7.150.3), 1 ms

Reply to request 2 from core03.magnetar.com (10.7.150.3), 1 ms

Reply to request 3 from core03.magnetar.com (10.7.150.3), 1 ms

Reply to request 4 from core03.magnetar.com (10.7.150.3), 12 ms

10.7.150.3 being CORE03

When I do the same ping from CORE03, I get a reply from CORE02

CORE03#ping 10.7.150.7

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.7.150.7, timeout is 2 seconds:

Reply to request 0 from core02.magnetar.com (10.7.150.2), 4 ms

Reply to request 1 from core02.magnetar.com (10.7.150.2), 4 ms

Reply to request 2 from core02.magnetar.com (10.7.150.2), 1 ms

Reply to request 3 from core02.magnetar.com (10.7.150.2), 1 ms

Reply to request 4 from core02.magnetar.com (10.7.150.2), 1 ms

When I go into the cores, I see an arp entry for my Active ASA but not my secondary.

Can anyone explain this, as at my other sites, I can see arp entries at the core switches for both active and secondary ASA's and pings to the secondary ASA are not replied to by the other core switch.

Philip D'Ath · ‎05-25-2018

Are you by chance using a /29 (255.255.255.248) subnet mask? If so, 10.7.150.7 would be the subnet broadcast address causing all devices to respond. The core switches are probably just faster at responding if this is the case.

View solution in original post

Philip D'Ath · ‎05-25-2018

Are you by chance using a /29 (255.255.255.248) subnet mask? If so, 10.7.150.7 would be the subnet broadcast address causing all devices to respond. The core switches are probably just faster at responding if this is the case.

Chad Parish · ‎05-25-2018

Nope, it's a /24 subnet.

Chad Parish · ‎05-29-2018

I think I found the issue, and you were on the right track. The ASA interfaces are in a /24 subnet but the core SVI interfaces are on a /29 and thus see the Secondary IP as a broadcast IP. I just need to change the SVI subnets on the cores to be a /24.

GRANT3779 · ‎05-25-2018

Can you ping secondary asa addresses from the primary asa?

Is this an active / standby setup?

Chad Parish · ‎05-29-2018

Yes, the ASA's are able to correctly ping one another. I am thinking the issue is not on the ASA's but may have something to do with the HSRP configuration on the cores. We have the cores configured for CORE02 to be the primary for even vlans and CORE03 is active for odd vlans.

paul driver · ‎05-26-2018

Hello

when you ping from the cores what is the default source interface its using?

Do the FWs know how to or are they allowed reply to it

res

Paul

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

Chad Parish · ‎05-29-2018

The cores ping from their management SVI interface. Both firewalls show a route to that SVI as a directly connected route (each core goes to one of the ASA's but the SVI is on both cores so both ASA's see it directly connected. We are not filtering traffic to and from the inside interfaces of the ASA's.