Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
330
Views
0
Helpful
2
Replies

Some packets going to standby asa

choudhury.amd1
Level 1
Level 1

‎01-26-2018 02:55 AM - edited ‎03-08-2019 01:34 PM

Hello,

 

We have a unusual problem with our LAN, we have 2 x ASA (active/standby) and 2 pairs of stacked switches for distribution and then access stacks connected to them.  For a particular vlan we are seeing certain destination hosts are unreachable.  We have done packet capture and it turns out that the packets for the destination hosts that we cannot reach is sent to the standby firewall.  When we shutdown our inside interface of the standby firewall (connected to our distribution stack) everything starts working again.  Any help would be appreciated. 

 

Fied

Labels:
0 Helpful
2 Replies 2

Julio E. Moisa
VIP
VIP

‎01-26-2018 04:00 AM

Hi

A cluster of ASA active/standby works as a mirror, so the configuration from the primary firewall is copied to the standby and they will have the same IP addressing, are you using HSRP on the switches facing the firewalls and static route pointing to the same IP address as next hop (firewall IP)?

 

:-)




>> Marcar como útil o contestado, si la respuesta resolvió la duda, esto ayuda a futuras consultas de otros miembros de la comunidad. <<
0 Helpful

choudhury.amd1
Level 1
Level 1
In response to Julio E. Moisa

‎01-26-2018 04:17 AM

Hello,

The switches facing the firewall are layer 2 only, so the link between the firewall and switch stack is a trunk.  All the inside interfaces are sub-interfaces on a redundant port.  We have some vlans in the LAN to split different users and the gateways for these vlans sit on the ASA (sub-interfaces).

 

The users are getting IP addresses from a DHCP server which sits on the outside interface of the firewall, hence we have used the commands:

 

dhcprelay server 192.168.10.22 VLAN10-OUTSIDE

dhcprelay enable VLAN20-INSIDE

 

Many thanks.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card