Solved

Upgraded ASAs, now internal communication is unstable/sporadic

Posted on 2016-10-24
4
24 Views
Last Modified: 2016-10-29
We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:

8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31

using the zero downtime method.

Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:

access-list network2_in extended permit ip object network2 object network2

that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.

Questions:

Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?

What the crap is going on?
EE.png
0
Comment
Question by:ylandrum
  • 2
  • 2
4 Comments
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857040
If we ping the appliance from the Exchange server, connection is restored temporarily.

that is no actual solution but this suggests you are facing a problem related with a security feature in ASA. most likely the ASA sees the same IP on multiple ports and assumes some spoofing is going on and kills the mac... or some weird interaction with the core routers. i guess that same feature was not enabled by default but now is.

can you post information regarding your setup including the core routers and ASAs ?
0
 
LVL 13

Accepted Solution

by:
ylandrum earned 0 total points
ID: 41857335
Sorry for the delay; we got it sorted out. It turned out to be proxy arp.

We had some NAT overlap in our config that was causing the ASA to answer ARP requests for addresses on the subnets with its own MAC address. We could have just added no-proxy-arp to the end of some representative NAT statements for each subnet, but ultimate decided to just disable it at the two interfaces since we have no one-to-one address NATs:

sysopt noproxyarp network1
sysopt noproxyarp network2

Here are some links that led us to the answer:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

https://supportforums.cisco.com/discussion/12938596/asa-interface-hang-fixed-clearing-arp

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/route-overview.html#66617

Thanks for your willingness to chime in.
0
 
LVL 27

Expert Comment

by:skullnobrains
ID: 41857358
interesting. thanks for sharing.
0
 
LVL 13

Author Closing Comment

by:ylandrum
ID: 41865077
We solved it ourselves.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Overview The Cisco PIX 501, PIX 506e, ASA 5505 and ASA 5510 (most if not all of this information will be relevant to the PIX 515e but I do not have a working configuration handy to verify the validity) are primarily used within small to medium busi…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question