?
Solved

Upgraded ASAs, now internal communication is unstable/sporadic

Posted on 2016-10-24
4
Medium Priority
?
64 Views
Last Modified: 2016-10-29
We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:

8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31

using the zero downtime method.

Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:

access-list network2_in extended permit ip object network2 object network2

that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.

Questions:

Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?

What the crap is going on?
EE.png
0
Comment
Question by:Yancey Landrum
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857040
If we ping the appliance from the Exchange server, connection is restored temporarily.

that is no actual solution but this suggests you are facing a problem related with a security feature in ASA. most likely the ASA sees the same IP on multiple ports and assumes some spoofing is going on and kills the mac... or some weird interaction with the core routers. i guess that same feature was not enabled by default but now is.

can you post information regarding your setup including the core routers and ASAs ?
0
 
LVL 13

Accepted Solution

by:
Yancey Landrum earned 0 total points
ID: 41857335
Sorry for the delay; we got it sorted out. It turned out to be proxy arp.

We had some NAT overlap in our config that was causing the ASA to answer ARP requests for addresses on the subnets with its own MAC address. We could have just added no-proxy-arp to the end of some representative NAT statements for each subnet, but ultimate decided to just disable it at the two interfaces since we have no one-to-one address NATs:

sysopt noproxyarp network1
sysopt noproxyarp network2

Here are some links that led us to the answer:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

https://supportforums.cisco.com/discussion/12938596/asa-interface-hang-fixed-clearing-arp

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/route-overview.html#66617

Thanks for your willingness to chime in.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857358
interesting. thanks for sharing.
0
 
LVL 13

Author Closing Comment

by:Yancey Landrum
ID: 41865077
We solved it ourselves.
0

Featured Post

IT Degree with Certifications Included

Aspire to become a network administrator, network security analyst, or computer and information systems manager? Make the most of your experience as an IT professional by earning your B.S. in Network Operations and Security.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There’s a movement in Information Technology (IT), and while it’s hard to define, it is gaining momentum. Some call it “stream-lined IT;” others call it “thin-model IT.”
In this article, the configuration steps in Zabbix to monitor devices via SNMP will be discussed with some real examples on Cisco Router/Switch, Catalyst Switch, NAS Synology device.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

569 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question