Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Upgraded ASAs, now internal communication is unstable/sporadic

Posted on 2016-10-24
4
Medium Priority
?
49 Views
Last Modified: 2016-10-29
We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:

8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31

using the zero downtime method.

Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:

access-list network2_in extended permit ip object network2 object network2

that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.

Questions:

Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?

What the crap is going on?
EE.png
0
Comment
Question by:ylandrum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857040
If we ping the appliance from the Exchange server, connection is restored temporarily.

that is no actual solution but this suggests you are facing a problem related with a security feature in ASA. most likely the ASA sees the same IP on multiple ports and assumes some spoofing is going on and kills the mac... or some weird interaction with the core routers. i guess that same feature was not enabled by default but now is.

can you post information regarding your setup including the core routers and ASAs ?
0
 
LVL 13

Accepted Solution

by:
ylandrum earned 0 total points
ID: 41857335
Sorry for the delay; we got it sorted out. It turned out to be proxy arp.

We had some NAT overlap in our config that was causing the ASA to answer ARP requests for addresses on the subnets with its own MAC address. We could have just added no-proxy-arp to the end of some representative NAT statements for each subnet, but ultimate decided to just disable it at the two interfaces since we have no one-to-one address NATs:

sysopt noproxyarp network1
sysopt noproxyarp network2

Here are some links that led us to the answer:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

https://supportforums.cisco.com/discussion/12938596/asa-interface-hang-fixed-clearing-arp

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/route-overview.html#66617

Thanks for your willingness to chime in.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857358
interesting. thanks for sharing.
0
 
LVL 13

Author Closing Comment

by:ylandrum
ID: 41865077
We solved it ourselves.
0

Featured Post

Are You Ready for GDPR?

With the GDPR deadline set for May 25, 2018, many organizations are ill-prepared due to uncertainty about the criteria for compliance. According to a recent WatchGuard survey, a staggering 37% of respondents don't even know if their organization needs to comply with GDPR. Do you?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
This article is in regards to the Cisco QSFP-4SFP10G-CU1M cables, which are designed to uplink/downlink 40GB ports to 10GB SFP ports. I recently experienced this and found very little configuration documentation on how these are supposed to be confi…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Suggested Courses

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question