We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:
8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31
using the zero downtime method.
Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:
access-list network2_in extended permit ip object network2 object network2
that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.
Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?
What the crap is going on?