ASA5510 Active/Standby Primary won't allow dns response

Unanswered Question
Sep 23rd, 2009
User Badges:

Our 5510 switched to the standby unit 2 weeks ago, and since then, I have not been able to get the primary back online. The configs are identical line for line however when the primary is put back into service, dns requests from the internl servers are allowed out, but no reponses ever come back to them. When I switch back to the failover unit evreything works. I have flushed router caches, rebooted the dns servers and all connected internal and external routers, and even tried swapping ports and cables, but no luck. Does anyone have any ideas on what I might try next?



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
JORGE RODRIGUEZ Wed, 09/23/2009 - 08:09
User Badges:
  • Green, 3000 points or more

Steve, very strange issue specially having identical asa configurations - what I would try doing during non-production hours is to bring back your primary fw unit back into active - look at your ASDM real time logs see if you can spot any relevant information for DNS while trying to access internet from a machine.. something should come up in the logs.

slunney Wed, 09/23/2009 - 09:09
User Badges:

I have actually done that already, with a packet capture inbound and outbound. I looked at them in Wireshark and the only difference between the working Standby traffic and the non-working Primary traffic is that the dns queries never get a response packet on the Primary. There are no errors being reported in the log. The connection gets created and allowed and then a few minutes later gets torn down. On the Failover unit the response connection is, if not the next packet recieved, only a couple away in log entries. Could the base IOS have gotten corupted somehow? This one has me stumped.



charrellc011699 Mon, 09/28/2009 - 12:46
User Badges:

sounds very ARPy. You have stated that you have cleared router caches, reloaded, etc - where are the DNS servers in relation to the ASA? I think you may have to take packet captures closer to the DNS server, rather than taking captures directly on the ASA - I suspect you will see ARP requests 1) not making it to the primary ASA -or- 2) the primary ASA not responding to ARP requests (for whatever reason).

slunney Tue, 09/29/2009 - 02:41
User Badges:

I unpatched and repatched every connection, and shut it all down again and this time it worked when it all came back up. I would have liked to have figured out the cause in case it happens again, but it's working now, so i'm moving on.

Thanks guys.


This Discussion