Changes Caused Necessity to Restart Firewall

cnetwiz
cnetwiz used Ask the Experts™
on
Hello Experts,
Have a WHY question...  ASA Firewall with IDS.   Connections to External Internet, Internal DMZ Zone, Internal Router.  
The DMZ Zone has 3 servers.  2 dns and 1 web.   Over the weekend, Virtualized these 3 servers to one new server and disabled the switch ports of the 3 servers.  
Accessing a Test computer in the DMZ Zone,  tested accessibility to the new VS, DNS VS and Web VS  Everything worked Perfectly.   Access all websites from DMZ Web Server, and Outside Internet sites.
HOWEVER,  No Accessibility to Webserver from Outside World.  DNS Traffic Gets Thru.  Can Remote Desktop to all DMZ Servers from Management Network.    Everything execpt http traffic is not working.    "Server Not Available" is the Internet Explorer Error.  
After Hours of Troubleshooting finally shook my head and restarted ASA.   Now Everything works Perfectly and Everythign is Accessible.    MY Question .   What would cause the ASA to deny http traffic when I switch the 3 Servers to VS and upon restart allow traffic  ????
Hope I explained my case well.   Any Thoughts would be appreciated.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
my first thought would be an arp issue. and that could be that reason it got cleared on a reboot.

Author

Commented:
That is interesting that you thought of ARP.
Thinking the process thru, there could really be no reason why packets would be denied unless the ASA is receiving an ARP packet and the MAC address is different than the ARP Cache entry.

The packet is legitimate, however, the Firewall could interpret it as an ARP attack.

Thank you for allowing me to bounce the idea off you guys.   It makes sense..

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial