ASA5510 stopped passing traffic

Unanswered Question
Sep 4th, 2008

Hi.I just had a rather strange problem with an ASA5510.One moment it was working fine and the next moment it stopped passing traffic from the inside interface to any other interface.The funny thing is I could connect to the ASA over VPN but access to anything behind the inside interface was a no go.Also after connecting to the equpment on the inside network via alternate means everything was also fine.The strangest thing is that interfaces on the ASA and on the equipment connected to it were all up,routing was up but traffic to the inside network was not going to happen.We finally reloaded the primary ASA to see if the failover ASA would take over and everything went back to normal.The logs show nothing and according to them everything was OK.

Did anyone else have this very strange problem?

ASA image file version is 7.0(6)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 1 (1 ratings)
Loading.
sadbulali Wed, 09/10/2008 - 13:28

The failover configuration requires two identical security appliances connected to each other through a dedicated failover link and, optionally, a Stateful Failover link. The health of the active interfaces and units is monitored to determine if specific failover conditions are met. If those conditions are met, failover occurs.The security appliance supports two failover configurations, Active/Active failover and Active/Standby failover. Each failover configuration has its own method for determining and performing failover. With Active/Active failover, both units can pass network traffic. This also lets you configure traffic sharing on your network.

robertson.michael Thu, 09/11/2008 - 13:06

Hi Igor,

One possibility is that an incorrect translation was built and got stuck in the xlate table. I have seen this cause traffic outages many times. You can use the output of 'show xlate debug' to confirm this, but only if the problem is actively happening.

ARP issues are another possibility, but again there is no way to confirm this after the ASA has been reloaded.

-Mike

Actions

This Discussion