ā04-09-2023 08:07 AM
System Configuration:
SR-A (master) : Server-1 (active-standby mode) | outside | 192.168.0.100 | mac id- aaaa.bbbb.cccc
SR-B (stand-by) : Server-2 (active standby mode) | outside | 192.168.0.100 | mac id- aabb.ccbb.eeee
ASA-1 : Cisco ASA 5510 firewall | NAT configuration is done for inside-to-outside communication
PC-1 : Client PC (secured) | inside | 172.16.0. 77 | mac id- rrrr.hhhh.iiii
I have successfully created & tested object base NATing from inside to outside for tcp/icmp protocols. I am facing issues in accessing the server from inside network when the server's mode changes i.e. SR-B is master & SR-A is standby or vice-versa. Since the outside servers are configured in active-standby mode i.e. at a time only one server is in line and another server is in silent mode on the outside network, after server change-over mode occurs the ARP table for new master server is not updated in ASA-1 causing communication loss between PC-1 to current master server.
Can someone help me to resolve this issue?
ā04-09-2023 08:17 AM
do traceroute and check the last phase, I think the ARP is point to wrong MAC address.
ā04-09-2023 08:24 AM
Yes you are right! ARP is pointing to wrong mac id i.e. last active master server. After clearing the ARP table the communication is successfully established, but i don't want to manually clear ARP table all the time. Is there any method to clear the ARP table of ASA-1 automatically?
ā04-09-2023 08:37 AM - edited ā04-09-2023 08:37 AM
but any HA work with active/standby must share the same subnet? are you sure the server HA is work fine ?
ā04-09-2023 09:03 AM
yes! SR-A/B are in same subnet 192.168.0.100/16 and both servers works on some proprietary protocol (like- Siemens Media redundancy protocol [MRP]) in which both servers are connected by a redundancy link via separate ethernet ports. In normal operation, the master server's ethernet link port is active and stand-by server's ethernet link port is blocked by the redundancy protocol.
ā04-09-2023 12:42 PM
HA server if I am right meaning the IP + Mac of active server will be use by standby server in case the active failed,
so there is no change in IP or Mac.
BUT if above is not correct then
if the host use the IP of OLD active Server then ASA will use IP-MAC of OLD active server
if the host use the IP of New active Server then ASA will use IP-MAC of New active server
issue is
host use the IP of OLD active and MAC of New active Server,
are HA Server send G-ARP when failover happened ??
ā04-09-2023 01:03 PM
No! Servers don't send gratuitous ARP when any failover occurs and the new active server (after master standby changeover) uses old ip + old Mac address.
ā04-09-2023 01:08 PM
but you mention that clear ARP in ASA solve issue, so the ASA use OLD Mac and Server use new MAC am I right ?
ā04-09-2023 01:20 PM
Sorry...my mistake! When any failover occurs on the server side the new active server uses old ip + new Mac id but on ASA side ARP table is still stuck with the old ip+old mac id. After reloading the ASA-1, ARP table updates the ARP table with new detected mac-id and re-established the connections.
ā04-09-2023 02:31 PM
This HA issue but anyway we can use EEM
Sla monitor to ping server from asa when failed we clear arp entry only for this specific ip address not all arp table
I will try run lab and check eem config and share it with you.
Thanks
MHM
ā04-09-2023 03:50 PM
the EEM to detect UP/Down of OLD Server
issue I face
EEM in ASA only have even timer or syslog
the track UP/DOWN dont show any syslog in ASA
so I use workaround
config static route for OLD server <host> toward Server IP with track
the ASA send syslog 622001 for add removing this static route which add remove with track status
I use then this syslog in EEM and action clear arp OUT <specific server ip>
I try this config and it do when adding or removing the static route the ASA clear arp entry for server only.
hope this help you in solution
thanks
MHM
ā04-10-2023 09:25 AM
Thank you so much @MHM Cisco World for your solution. Actually, I can use only sla monitor feature but not EEM because my ASA version is 8.3. Can I use arp time-out 60 sec CLI command for my existing configuration?
ā04-10-2023 09:48 AM
This my first idea mind but this will make clear arp for all connection and this will effect all traffic.
Let me check old 8.3 eem issue.
ā04-10-2023 10:22 AM
Can't we use arp time out only for outside interface? Just for your info. we are using CISCO ASA 5510 with IOS image ASA v8.3. can we perform ASA upgrade from v8.3 to v9.2?
ā04-12-2023 07:35 AM
this Upgrade guide you need if you want to Upgrade from 8.3 to 9.x
also this can help you
Cisco Secure Firewall ASA Compatibility - Cisco
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide