Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1088
Views
8
Helpful
17
Replies

Same IP redundant server conf. (for outside ntw) in CISCO ASA 8.3

PacMac
Level 1
Level 1

‎04-09-2023 08:07 AM

System Configuration:

SR-A (master) : Server-1 (active-standby mode) | outside | 192.168.0.100 | mac id- aaaa.bbbb.cccc 

SR-B (stand-by) : Server-2 (active standby mode) | outside | 192.168.0.100 | mac id- aabb.ccbb.eeee

ASA-1 : Cisco ASA 5510 firewall | NAT configuration is done for inside-to-outside communication

PC-1 : Client PC (secured) | inside | 172.16.0. 77 | mac id- rrrr.hhhh.iiii

I have successfully created & tested object base NATing from inside to outside for tcp/icmp protocols. I am facing issues in accessing the server from inside network when the server's mode changes i.e. SR-B is master & SR-A is standby or vice-versa.  Since the outside servers are configured in active-standby mode i.e. at a time only one server is in line and another server is in silent mode on the outside network, after server change-over mode occurs the ARP table for new master server is not updated in ASA-1 causing communication loss between PC-1 to current master server.

Can someone help me to resolve this issue? 

Labels:
17 Replies 17

MHM Cisco World
VIP
VIP

‎04-09-2023 08:17 AM

do traceroute and check the last phase, I think the ARP is point to wrong MAC address. 

PacMac
Level 1
Level 1
In response to MHM Cisco World

‎04-09-2023 08:24 AM

Yes you are right! ARP is pointing to wrong mac id i.e. last active master server. After clearing the ARP table the communication is successfully established, but i don't want to manually clear ARP table all the time. Is there any method to clear the ARP table of ASA-1 automatically? 

MHM Cisco World
VIP
VIP
In response to PacMac

‎04-09-2023 08:37 AM - edited ‎04-09-2023 08:37 AM

but any HA work with active/standby must share the same subnet? are you sure the server HA is work fine ?

0 Helpful

PacMac
Level 1
Level 1

‎04-09-2023 09:03 AM

yes! SR-A/B are in same subnet 192.168.0.100/16 and both servers works on some proprietary protocol (like- Siemens Media redundancy protocol [MRP]) in which both servers are connected by a redundancy link via separate ethernet ports. In normal operation, the master server's ethernet link port is active and stand-by server's ethernet link port is blocked by the redundancy protocol. 

MHM Cisco World
VIP
VIP
In response to PacMac

‎04-09-2023 12:42 PM

HA server if I am right meaning the IP + Mac of active server will be use by standby server in case the active failed, 
so there is no change in IP or Mac. 
BUT if above is not correct then 
if the host use the IP of OLD active Server then ASA will use IP-MAC of OLD active server 
if the host use the IP of New active Server then ASA will use IP-MAC of New active server 
issue is 
host use the IP of OLD active and MAC of New active Server, 
are HA Server send G-ARP when failover happened ??

0 Helpful

PacMac
Level 1
Level 1
In response to MHM Cisco World

‎04-09-2023 01:03 PM

No! Servers don't send gratuitous ARP when any failover occurs and the new active server (after master standby changeover) uses old ip + old Mac address.

0 Helpful

MHM Cisco World
VIP
VIP
In response to PacMac

‎04-09-2023 01:08 PM

but you mention that clear ARP in ASA solve issue, so the ASA use OLD Mac and Server use new MAC am I right ?

0 Helpful

PacMac
Level 1
Level 1
In response to MHM Cisco World

‎04-09-2023 01:20 PM

Sorry...my mistake! When any failover occurs on the server side the new active server uses old ip + new Mac id but on ASA side ARP table is still stuck with the old ip+old mac id. After reloading the ASA-1, ARP table updates the ARP table with new detected mac-id and re-established the connections.

0 Helpful

MHM Cisco World
VIP
VIP
In response to PacMac

‎04-09-2023 02:31 PM

This HA issue but anyway we can use EEM 

Sla monitor to ping server from asa when failed we clear arp entry only for this specific ip address not all arp table

I will try run lab and check eem config and share it with you.

Thanks 

MHM

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎04-09-2023 03:50 PM

Screenshot (569).png
the EEM to detect UP/Down of OLD Server 
issue I face
EEM in ASA only have even timer or syslog 
the track UP/DOWN dont show any syslog in ASA
so I use workaround 
config static route for OLD server <host> toward Server IP with track 
the ASA send syslog 622001 for add removing this static route which add remove with track status 
I use then this syslog in EEM and action clear arp OUT <specific server ip>

I try this config and it do when adding or removing the static route the ASA clear arp entry for server only. 

hope this help you in solution 
thanks 
MHM 

PacMac
Level 1
Level 1
In response to MHM Cisco World

‎04-10-2023 09:25 AM

Thank you so much @MHM Cisco World for your solution. Actually,  I can use only sla monitor feature but not EEM because my ASA version is 8.3. Can I use arp time-out 60 sec CLI command for my existing configuration? 

0 Helpful

MHM Cisco World
VIP
VIP
In response to PacMac

‎04-10-2023 09:48 AM

This my first idea mind but this will make clear arp for all connection and this will effect all traffic.

Let me check old 8.3 eem issue.

PacMac
Level 1
Level 1
In response to MHM Cisco World

‎04-10-2023 10:22 AM

Can't we use arp time out only for outside interface? Just for your info. we are using CISCO ASA 5510 with IOS image ASA v8.3. can we perform ASA upgrade from v8.3 to v9.2?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card