Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
693
Views
0
Helpful
3
Replies

Strange problem with Catalyst 4506 and ASA 5545-X

Emrecan Ural
Level 1
Level 1

‎02-03-2013 12:17 PM - edited ‎03-04-2019 06:55 PM

Hi,

We have a Catalyst 4506 backbone switch with multiple VLANs configured on it. The switch is the default gateway on the network and it does the routing. Default gateway of the backbone switch is a PIX 515E firewall which is connected directly to it. The switch port connected to the PIX firewall is in access mode and it's a member of a VLAN (This VLAN is used for servers in our network).

When we change PIX with ASA 5545-X firewall, all the nodes in the server VLAN stops communicating with each other. When we try to ping a server from another server, first ICMP packet times out but the rest of them travels fine. This behavior can also be observed on the switch such as when we try to ping a server from the switch, the first ICMP packet times out. If we start another ping sequence right after this, every ICMP packet travels fine. But if we wait for approx. 1 minute, the same problem happens again.

We also observe the traffic between the servers, on the ASA monitor, which basically shouldn't be there. For example packets going from server A to server B can be seen on the ASA monitor, but their gateway is the backbone switch.

Any help will be greatly appreciated. You can find the configuration details below. Thanks.

Cisco WS-C4506

!

interface GigabitEthernet3/16

description Firewall

switchport access vlan 63

switchport mode access

!

interface Vlan63

ip address X.X.X.X 255.255.255.0

!

ip route 0.0.0.0 0.0.0.0 X.X.X.Y

!

Cisco PIX 515E

!

interface Ethernet1

nameif inside

security-level 100

ip address X.X.X.Y 255.255.255.0

ospf cost 10

!

Cisco ASA 5545-X

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address X.X.X.Y 255.255.255.0

!

Labels:
0 Helpful
3 Replies 3

tobyarnett
Level 1
Level 1

‎02-03-2013 03:09 PM

Obvious questions first you didn't lose any routes when you migrated to your asa? All your static statements are in place? Your servers default gateway is the switch not your asa?

Toby

Sent from Cisco Technical Support Android App

-Toby


Please don't forget to rate any helpful post.

_____________________________________
There are no great limits to growth because there are no limits of human intelligence, imagination, and wonder.
- Ronald Reagan
0 Helpful

Emrecan Ural
Level 1
Level 1
In response to tobyarnett

‎02-03-2013 11:17 PM

Oh yes, I defined every route that was in PIX to ASA. And the static routes on the backbone switch stayed the same. All of the servers' default gateway is our backbone switch.

The strange thing is that I don't see the traffic between the servers on the PIX monitor. But when I connect ASA, traffic between the servers is visible.

Any suggestions?

0 Helpful

jj27
Spotlight
Spotlight

‎02-04-2013 01:56 PM

Try this command: sysopt noproxyarp inside

The ASA may be handling ARP requests for all traffic on the servers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card