Solved

ping asa dmz or outside interface

Posted on 2014-12-03
4
556 Views
Last Modified: 2014-12-05
Hi

Im just wondering why i cant ping the dmz asa interface from a host on the "inside" LAN - my PC

The asa is in a 2 x failover. I can ping the failover dmz and outside interface IP's of the current "secondary" ASA  from my PC - only not the primary dmz + outside interfaces on the primary asa?

at the moment I have allow all access list outbound - so its not ACL. I am pinging from a higher security interface "inside" to a lower security DMZ interface. - I tried a packet trace from asdm - and it failed on route. dont quite get this as the DMz interface is direct attached interface + subnet. I suspect im just misunderstanding something basic about asa - Id like to know what please anyone ?  :)
0
Comment
Question by:philb19
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 40480552
As you have failover configuration, both ASA's should have identical configuration. If you can ping secondary addresses and not primary, I would suspect something is wrong with primary ASA.
Did you try to reboot primary ASA?
If you make force switchover to secondary ASA, can you ping DMZ and outside interfaces?

Regards!
0
 

Author Comment

by:philb19
ID: 40480571
thanks for posting - nothing appears to be wrong as such with traffic flow. What did change is I moved the dmz interfaces "of both" ASA's to new cisco switch. This does not explain why i cant ping the primary outside interface. but can to the outside on the 2ndary. To be honest I cant recall if I could ping the primary interfaces before the change - I was thinking he change would possibly be arp related

i didnt reboot the primary no. When I swapped the primary dmz interface - the asa did a failover. Then  To failback i simply did the same thing on the "new" primary - that is remove and insert back in the DMZ int.
it failed back then to the original primary. - all @ work is ok - Im just trying to get an understanding - thanks
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 40480707
To trigger failover you can use following commands:
On standby unit:
hostname# failover active
Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
OR
On active unit:
hostname# no failover active
Forces a failover when entered on the active unit in a failover pair. The active unit becomes the standby unit.

No need to unplug cables.
Try to do failover and then ping to see how it behaves. On failover, secondary unit will takeover primary MAC and IP address. It should work in any case.

Sometimes, something can stuck in memory or on some of internal processes, so reboot is usually good to resolve such transient issues.
0
 

Author Closing Comment

by:philb19
ID: 40484183
awesome thanks
0

Featured Post

PeopleSoft Has Never Been Easier

PeopleSoft Adoption Made Smooth & Simple!

On-The-Job Training Is made Intuitive & Easy With WalkMe's On-Screen Guidance Tool.  Claim Your Free WalkMe Account Now

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For months I had no idea how to 'discover' the IP address of the other end of a link (without asking someone who knows), and it drove me batty. Think about it. You can't use Cisco Discovery Protocol (CDP) because it's not implemented on the ASAs.…
WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…
Suggested Courses

615 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question