Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Upgraded ASAs, now internal communication is unstable/sporadic

Posted on 2016-10-24
4
Medium Priority
?
57 Views
Last Modified: 2016-10-29
We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:

8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31

using the zero downtime method.

Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:

access-list network2_in extended permit ip object network2 object network2

that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.

Questions:

Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?

What the crap is going on?
EE.png
0
Comment
Question by:ylandrum
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857040
If we ping the appliance from the Exchange server, connection is restored temporarily.

that is no actual solution but this suggests you are facing a problem related with a security feature in ASA. most likely the ASA sees the same IP on multiple ports and assumes some spoofing is going on and kills the mac... or some weird interaction with the core routers. i guess that same feature was not enabled by default but now is.

can you post information regarding your setup including the core routers and ASAs ?
0
 
LVL 13

Accepted Solution

by:
ylandrum earned 0 total points
ID: 41857335
Sorry for the delay; we got it sorted out. It turned out to be proxy arp.

We had some NAT overlap in our config that was causing the ASA to answer ARP requests for addresses on the subnets with its own MAC address. We could have just added no-proxy-arp to the end of some representative NAT statements for each subnet, but ultimate decided to just disable it at the two interfaces since we have no one-to-one address NATs:

sysopt noproxyarp network1
sysopt noproxyarp network2

Here are some links that led us to the answer:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

https://supportforums.cisco.com/discussion/12938596/asa-interface-hang-fixed-clearing-arp

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/route-overview.html#66617

Thanks for your willingness to chime in.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857358
interesting. thanks for sharing.
0
 
LVL 13

Author Closing Comment

by:ylandrum
ID: 41865077
We solved it ourselves.
0

Featured Post

WatchGuard Case Study: Museum of Flight

“With limited money and limited staffing, we didn’t have a lot of choices in terms of what we could do to bring efficiency. WatchGuard played a central part in changing that.” To provide strong, secure Wi-Fi access within the museum, Hunter chose to deploy WatchGuard’s AP120 APs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Powerful tools can do wonders, but only in the right hands.  Nowhere is this more obvious than with the cloud.
You deserve ‘straight talk’ from your cloud provider about your risk, your costs, security, uptime and the processes that are in place to protect your mission-critical applications.
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

916 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question