Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1097
Views
0
Helpful
1
Replies

In ASA Active and Standby Firewall - Showing Packet drop in Active FW and Packet allowed in Standby FW

shahulreg
Level 1
Level 1

‎07-26-2017 03:27 AM - edited ‎03-08-2019 11:28 AM

Hi,

I am facing a issue whereas we have Active/Standby Failover setup - ASA 5555 where as

1. Active Firewall IP : 10.x.x.254
2. Standby Firewall IP : 10.x.x.253
For this common IP for managing FW is : 10.x.x.1

Rule :
User informed that he is not able to access the site ( http://nfc-tools.org )

For that Rules allowed in ASA as below
access-list inside_access_in line 30 extended permit object-group TCPUDP any host 37.44.12.83 eq www

whereas inside_access_in group contains the IP's of all 10.x.x.x where i have permitted both TCP & UDP in the object-group TCPUDP to access the host nfc-tools.org (ie.37.44.12.83 ) eq www  .

When i click Packet capture able to see Packet is ALLOWED if i login in via ASA with IP : 10.x.x.254

          Source : 10.x.x.254 Destination 37.44.12.83 with Port 80 

Able to see that the rules were allowed.

Same rules are copied to the other firewall also.

But when we see Packet capture for this :

         Source : 10.x.x.253      Destination : 37.44.12.83 with Port 80

Able to see Packet is dropped.

In ASDM its asking

Input Interface ?

Output interface : Outside is ok.

Once it is in Failover then there is no need to configure again in another switch, so why we are using this Failover.

Can anyone comment why this behavior is like this & what to do to see both the packets are allowed in Stanby as well as Primary FW.

Thanks.

Labels:
0 Helpful
1 Reply 1

Spooster IT Services
Level 7
Level 7

‎07-26-2017 04:12 AM

Hi Shahulreg,

1) Can you please check the status of failover between the firewalls? Please post the output of the following commands:
show failover
show failover history

2) What is the IP address of the user who is trying to access http://nfc-tools.org link?

3) Is only a single user facing this issue or all the users within LAN facing this issue?

4) If firewalls are in Active/Standby setup then there is no need to do configuration on the standby firewall, configuration will automatically sync from Active to Standby.

Spooster IT Services Team
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card