Solved

Upgraded ASAs, now internal communication is unstable/sporadic

Posted on 2016-10-24
4
18 Views
Last Modified: 2016-10-29
We have two ASA 5520s in an active/standby pair. Hanging off of those are two core switches (WS-C3750X-48T-S), each serving two different environments, and each routing multiple vlans. Recently it came to light that we had not updated the ASAs since 8.3(2)44 so there was a huge push to get that done over the weekend. They are now on 8.4(7)31. We did an incremental upgrade:

8.3(2)44 > 8.4(1) > 8.4(5) > 8.4(6) > 8.4(7) > 8.4(7)31

using the zero downtime method.

Now, we are having problems with servers contacting each other within the same core switch, even within the same vlan. If we clear arp, that might fix it for a short time or it might not. In one environment, we had to add an ACL that said:

access-list network2_in extended permit ip object network2 object network2

that allowed servers to talk to each other within the same network. It made it better but did not fix the problem entirely. There is already an any-any on the other network, but it is having the same issues. Email is not going out, because the Exchange server cannot send mail to the smart host appliance in the same network/vlan. If we ping the appliance from the Exchange server, connection is restored temporarily.

Questions:

Why does the ASA have anything at all to do with communications within a core switch, including within a single vlan?

What the crap is going on?
EE.png
0
Comment
Question by:ylandrum
  • 2
  • 2
4 Comments
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41857040
If we ping the appliance from the Exchange server, connection is restored temporarily.

that is no actual solution but this suggests you are facing a problem related with a security feature in ASA. most likely the ASA sees the same IP on multiple ports and assumes some spoofing is going on and kills the mac... or some weird interaction with the core routers. i guess that same feature was not enabled by default but now is.

can you post information regarding your setup including the core routers and ASAs ?
0
 
LVL 13

Accepted Solution

by:
ylandrum earned 0 total points
ID: 41857335
Sorry for the delay; we got it sorted out. It turned out to be proxy arp.

We had some NAT overlap in our config that was causing the ASA to answer ARP requests for addresses on the subnets with its own MAC address. We could have just added no-proxy-arp to the end of some representative NAT statements for each subnet, but ultimate decided to just disable it at the two interfaces since we have no one-to-one address NATs:

sysopt noproxyarp network1
sysopt noproxyarp network2

Here are some links that led us to the answer:

http://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/116154-qanda-ASA-00.html

https://supportforums.cisco.com/discussion/12938596/asa-interface-hang-fixed-clearing-arp

https://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1028373

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/general/asa-general-cli/route-overview.html#66617

Thanks for your willingness to chime in.
0
 
LVL 26

Expert Comment

by:skullnobrains
ID: 41857358
interesting. thanks for sharing.
0
 
LVL 13

Author Closing Comment

by:ylandrum
ID: 41865077
We solved it ourselves.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
CISCO ATA 190 using PRI DID number 6 45
Using VMWare Snapshot as Cisco UCM backup method 3 45
Punctured RAID5 Array on Cisco UCS server. 6 58
Cisco WLAN 5520 licensing 10 37
When I upgraded my ASA 8.2 to 8.3, I realized that my nonat statement was failing!   The log showed the following error:     %ASA-5-305013: Asymmetric NAT rules matched for forward and reverse flows It was caused by the config upgrade, because t…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…

809 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question