HSRP and Cisco ASA

jickly · ‎09-04-2018

Hello at all,

I have two switches Cisco C3560 (Model: WS-C3560-8PC, Software version: 12.2(35)SE5, Software Image: C3560-IPBASE-M) and one Cisco ASA 5505.

All three devices are in vlan 1 with these ip configuration:

Cisco ASA: 192.168.254.254/24

SW1: 192.168.254.211/24

SW2: 192.168.254.212/24

HSRP IP: 192.168.254.1/24 (Gateway of network with default route to Cisco ASA 192.168.254.254)

On SW01 and SW02 I have a MST instance with all VLAN 1-4094.

The connections between the devices are as follows:

If I reload SW01 spanning tree and HSRP work correctly and all work, but when SW01 comes back I can't go to the internet. SW01 has a higher priority in the HSRP and returns to Active on HSRP correctly, the spanning tree correctly blocks the Eth1 port on SW02 because SW01 is root for MST instance.
In this situation I can ping all devices because I'm in same network, in Eth1 on SW01 I can see mac address of Cisco ASA and I can ping Cisco ASA from any devices but on SW01 does not appear ARP for Cisco ASA. All ping requests to 8.8.8.8 sent to the default gateway (192.168.254.1) do not reach the Cisco ASA.

It seems that HSRP does not route packets, but if I try to ping Cisco ASA (192.168.254.254) from SW01 the first ping is not successful but then it populates the ARP on SW01 and everything returns to work perfectly.

On Cisco ASA I have disable proxy ARP on inside interface and in this situation I can see ARP entry for HSRP 192.168.254.1 and mac address of HSRP IP is present on Eth1 of Cisco ASA and it's correct.

On SW02 I can see mac address of Cisco ASA and mac address of HSRP IP on Eth10 but I can't see ARP for HSRP IP 192.168.254.1

In all my test I was plugged on SW02 on a port on VLAN 1.

Can you help me to understand what's wrong please?

pieterh · ‎09-06-2018

did you configure the switch with hsrp on the ports eth1 ? or on a vlan?

if on eth1, then hsrp does not work!!!!!

both interfaces eth1 must be connected somehow and see each other to exchange hsrp information

jickly · ‎09-06-2018

HSRP is configured on vlan 1 interface on each SW.

With "show standby" command I can see that SW01 is Active and SW02 is standby, and if I show logging I can't see error for HSRP.

I can write more if necessary, show commands or running config...

pieterh · ‎09-06-2018

look at this post

In router mode BPDU's will not pass anyway as it's Layer 3, in transparent mode BPDU's will pass.

jickly · ‎09-06-2018

but are you referring to the configuration of the ASA firewall or to the configuration of the switch?

pieterh · ‎09-06-2018

yes I was referring to the ASA's configuration.

but I looked again at your question, and think what you try to achieve is not supported.

you can connect the asa with an etherchannel to two physical switches ONLY if those switches form a virtual switch, like a VSS or a switch-stack.

in both these options HSRP is not necessary as the virtual switch already has a single IP.

jickly · ‎09-06-2018

The old ASA 5505 firewall model uses switch ports and vlan interfaces, and the Eth1 and Eth2 ports on the firewall are switch ports on the same VLAN.
If I disable the Eth10 ports on the two switches they are seen and speak correctly through the Eth1 and Eth2 switch ports of the ASA firewall.
With the new ASA firewalls you can not actually do this configuration, with the old model I think is possible.

pieterh · ‎09-06-2018

does this information help?

interface Eth1

switchport backup interface Eth2

switchport backup interface Eth2 preemption mode forced