09-22-2010 05:52 AM - edited 03-06-2019 01:07 PM
ASA5510 with IPS module and 3750G stacked switches. Everything is working normal...so we introduced two new Barracuda devices inline (Web Filter and IM Filter) on the same subnet at the 3750 Core switch and the ASA Inside interface. Here's where it gets fun. Switch can ping the ASA, and pass traffic to the Internet just fine, through the two Barracuda devices. The two Barracuda devices can ping each other, but cannot ping the ASA or the switch. Neither the switch nor the ASA can ping either Barracuda device.
Switch - 10.1.200.1/28
ASA inside - 10.1.200.2/28
CudaA - 10.1.200.10/28
CudaB - 10.1.200.11/28
Have tried defaulting the gateway for the Cuda's to either switch or ASA without success. Both Cuda's work on two separate networks in this same design and inline placement (one behind a PIX and before a switch and the other behind an ASA5505 and before a switch). Have tried intra-interface traffic allowing and not and have talked to both the LAN switching team and ASA team at TAC...neither of which seems to find anything.
Suggestions?
09-22-2010 06:05 AM
Hello,
Can you configure capture on the ASA's inside interface and post the output here?
access-list capture permit ip any host 10.1.200.10
access-list capture permit ip any host 10.1.200.11
access-list capture permit ip host 10.1.200.10 any
access-list capture permit ip host 10.1.200.11 any
capture capin access-list capture interface inside
Once you configure the above, try to ping the Barracuda from the firewall. Once it fails, please collect the following outputs:
show capture capin
show arp | i inside
Please post those outputs here.
Regards,
NT
09-22-2010 06:39 AM
We've been reviewing these with Cisco. There are no packets captured when we ping the Barracuda device(s).
We get packets when pinging the switch on this same ACL. The show arp just shows the switch info (ip/mac).
1: 09:38:21.463660 802.1Q vlan#200 P0 192.168.1.15 > 192.168.2.44: icmp: echo request
2: 09:38:21.463934 802.1Q vlan#200 P0 192.168.2.44 > 192.168.1.15: icmp: echo reply
3: 09:38:23.713631 802.1Q vlan#200 P0 192.168.1.15 > 192.168.2.44: icmp: echo request
4: 09:38:23.713921 802.1Q vlan#200 P0 192.168.2.44 > 192.168.1.15: icmp: echo reply
and
inside 10.1.200.1 0022.bed0.8849 30
09-22-2010 06:55 AM
Hello,
OK, I guess the problem could be that the Barracuda does not respond to ARP requests (or the response is not in standard format). Let us try the following:
If you know the MAC address of the Barracuda device, add a static entry on the ASA for the Barracuda:
arp inside
Now, try to ping again and see if the capture sees any traffic towards Barracuda. If possible, you can configure a static entry on the Barracuda for the ASA IP/MAC and see if the packet returns as well.
Regards,
NT
09-22-2010 07:29 AM
Not sure I can get the Barracuda MAC from the console - I will have to check. I am not onsite anymore - but will be on
Monday again. This has been quite frustrating. I am going to try and arrange for the switch team and ASA team to talk to me at the same time
to discern, so we aren't pointing fingers at each other for the issue.
09-22-2010 06:09 AM
Bwalters613 wrote:
ASA5510 with IPS module and 3750G stacked switches. Everything is working normal...so we introduced two new Barracuda devices inline (Web Filter and IM Filter) on the same subnet at the 3750 Core switch and the ASA Inside interface. Here's where it gets fun. Switch can ping the ASA, and pass traffic to the Internet just fine, through the two Barracuda devices. The two Barracuda devices can ping each other, but cannot ping the ASA or the switch. Neither the switch nor the ASA can ping either Barracuda device.
Switch - 10.1.200.1/28
ASA inside - 10.1.200.2/28
CudaA - 10.1.200.10/28
CudaB - 10.1.200.11/28
Have tried defaulting the gateway for the Cuda's to either switch or ASA without success. Both Cuda's work on two separate networks in this same design and inline placement (one behind a PIX and before a switch and the other behind an ASA5505 and before a switch). Have tried intra-interface traffic allowing and not and have talked to both the LAN switching team and ASA team at TAC...neither of which seems to find anything.
Suggestions?
You've probably been asked these sort of questions already but -
1) when you try to ping the barracuda devices from the switch or the ASA what do the arp tables show on the switch/ASA
2) when you try to ping the switch or ASA from the barracuda what do the arp tables show on the barracudas
3) have you tried packet capture on the ASA to see if when you ping from the barracudas the ICMP request actually gets to the ASA
By the sounds of it the barracudas are running in transparent mode ie. L2 between the switch and ASA so the default-gateway should make no difference.
Jon
09-22-2010 06:40 AM
See previous, but I agree. The Barracudas are out of the box, IP configured only. so they are in Audit mode. I can take them out of line, connect the to the switch and give them a server-based IP and get to them just fine. Just not the switch/ASA network.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide