Solved

ping asa dmz or outside interface

Posted on 2014-12-03
4
383 Views
Last Modified: 2014-12-05
Hi

Im just wondering why i cant ping the dmz asa interface from a host on the "inside" LAN - my PC

The asa is in a 2 x failover. I can ping the failover dmz and outside interface IP's of the current "secondary" ASA  from my PC - only not the primary dmz + outside interfaces on the primary asa?

at the moment I have allow all access list outbound - so its not ACL. I am pinging from a higher security interface "inside" to a lower security DMZ interface. - I tried a packet trace from asdm - and it failed on route. dont quite get this as the DMz interface is direct attached interface + subnet. I suspect im just misunderstanding something basic about asa - Id like to know what please anyone ?  :)
0
Comment
Question by:philb19
  • 2
  • 2
4 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 40480552
As you have failover configuration, both ASA's should have identical configuration. If you can ping secondary addresses and not primary, I would suspect something is wrong with primary ASA.
Did you try to reboot primary ASA?
If you make force switchover to secondary ASA, can you ping DMZ and outside interfaces?

Regards!
0
 

Author Comment

by:philb19
ID: 40480571
thanks for posting - nothing appears to be wrong as such with traffic flow. What did change is I moved the dmz interfaces "of both" ASA's to new cisco switch. This does not explain why i cant ping the primary outside interface. but can to the outside on the 2ndary. To be honest I cant recall if I could ping the primary interfaces before the change - I was thinking he change would possibly be arp related

i didnt reboot the primary no. When I swapped the primary dmz interface - the asa did a failover. Then  To failback i simply did the same thing on the "new" primary - that is remove and insert back in the DMZ int.
it failed back then to the original primary. - all @ work is ok - Im just trying to get an understanding - thanks
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 40480707
To trigger failover you can use following commands:
On standby unit:
hostname# failover active
Forces a failover when entered on the standby unit in a failover pair. The standby unit becomes the active unit.
OR
On active unit:
hostname# no failover active
Forces a failover when entered on the active unit in a failover pair. The active unit becomes the standby unit.

No need to unplug cables.
Try to do failover and then ping to see how it behaves. On failover, secondary unit will takeover primary MAC and IP address. It should work in any case.

Sometimes, something can stuck in memory or on some of internal processes, so reboot is usually good to resolve such transient issues.
0
 

Author Closing Comment

by:philb19
ID: 40484183
awesome thanks
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Don’t let your business fall victim to the coming apocalypse – use our Survival Guide for the Fax Apocalypse to identify the risks and signs of zombie fax activities at your business.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now