01-07-2010 02:42 PM - edited 03-11-2019 09:54 AM
I have two ASA 5510s in a failover configuration. The external interfaces are both plugged into an HP Procurve. The failover unit's interface shows up, no errors. On the switch, no errros, but all recived packets are dropped. The only traffic at this time from that interface is keep alives with the primary unit.
I have no idea why the switch is dropping the packets. I have swapped cables, and switched ports on the Porcurve. Again, no CRC errors, no framing errors, no runts, etc... just RX Drops.
Spanning tree is disabled, port security is not on...
Any ideas?
~rick
01-07-2010 04:48 PM
Could you pls. provide the following?
Pls. clear interface then then collect the following after a few seconds.
sh int (from both the ASA and the switch side)
sh run int (from both the ASA and the switch) I don't know the equivalent of these command for hp procurve.
-KS
01-08-2010 05:10 AM
Hi,
1. Is it A/A or A/S ?
2. What about the cable , is it straight or cross?
3. Which interfaces are terminated on HP switch, can you please post the topology ?
4. What about speed and duplex setting?
01-08-2010 09:43 AM
Hi Dileep,
Hi,
1. Is it A/A or A/S ?
Sorry, not sure what you mean?
2. What about the cable , is it straight or cross?
Straight through cable
3. Which interfaces are terminated on HP switch, can you please post the topology ?
There are four interfaces ETH0/0, EHT0/1, ETH0/2, and MGMT, all plugged into an HP Procurve. Eth0/0, ETH0/2, and MGMT are all monitored for failover. Eth0/1 is the LAN failover interface. ETH0/0 shows status of failed. The other two monitored interfaces show normal.
4. What about speed and duplex setting?
They are all set to auto. I have tried forcing the settings. Setting both the switch and the ASA to 100full, 1000full, and 10full. Same results.
~rick
01-08-2010 09:34 AM
SHOW INT ASA -
FIREWALL-A# sh int eth0/0
Interface Ethernet0/0 "external", is up, line protocol is up
Hardware is i82546GB rev03, BW 1000 Mbps, DLY 10 usec
Full-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Description: External - Internet facing
MAC address 001d.45d9.a6e6, MTU 1500
IP address X.X.X.185, subnet mask 255.255.255.192
0 packets input, 0 bytes, 0 no buffer
Received 0 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 L2 decode drops
3 packets output, 378 bytes, 0 underruns
0 output errors, 0 collisions, 0 interface resets
0 babbles, 0 late collisions, 0 deferred
0 lost carrier, 0 no carrier
input queue (curr/max packets): hardware (0/0) software (0/0)
output queue (curr/max packets): hardware (0/1) software (0/0)
Traffic Statistics for "external":
0 packets input, 0 bytes
3 packets output, 324 bytes
0 packets dropped
1 minute input rate 0 pkts/sec, 0 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 0 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
SHOW RUN INT ASA -
FIREWALL-A# sh run int eth0/0
!
interface Ethernet0/0
description External - Internet facing
duplex full
nameif external
security-level 0
ip address X.X.X.184 255.255.255.192 standby X.X.X.185
SHOW INT HP -
SWITCH-B# sh int 7
Status and Counters - Port Counters for port 7
Name : Internet B
Link Status : Up
Bytes Rx : 1386 Bytes Tx : 161
Unicast Rx : 11 Unicast Tx : 0
Bcast/Mcast Rx : 0 Bcast/Mcast Tx : 1
FCS Rx : 0 Drops Rx : 11
Alignment Rx : 0 Collisions Tx : 0
Runts Rx : 0 Late Colln Tx : 0
Giants Rx : 0 Excessive Colln : 0
Total Rx Errors : 0 Deferred Tx : 0
SHOW INT BRIEF HP -
SWITCH-B# show int brief 7
Status and Counters - Port Status
| Intrusion MDI Flow Bcast
Port Type | Alert Enabled Status Mode Mode Ctrl Limit
------- --------- + --------- ------- ------ ---------- ----- ----- ------
7 100/1000T | No Yes Up 1000FDx MDI off 0
SHOT INT CONFIG -
Port Settings
Port Type | Enabled Mode Flow Ctrl MDI
------- --------- + ------- ------------ --------- ----
1 100/1000T | No Auto Disable Auto
2 100/1000T | Yes Auto Disable Auto
3 100/1000T | Yes Auto Disable Auto
4 100/1000T | Yes Auto Disable Auto
5 100/1000T | No Auto Disable Auto
6 100/1000T | No Auto Disable Auto
01-08-2010 08:59 PM
Hi Rick,
I mean,are you using
A/A - Active /Active failover
A/S - Active / Standby failover
As I understand eth0 interfaces (of both ASA) is connected to external router through HP switch. And sh run int eth0 interface output shows that you hard code the duplex setting on ASA side this will cause auto negotiation process to fail.
You can either set Auto on both sides or hard code setting on both sides. And what about the cable that is going to external router from your HP switch, is it cross or straight, if it is straight can you change it to cross and check it out.
Also post show failover command output.
Dileep
01-14-2010 10:47 AM
The firewalls are in A/A.
PRDDMZFW-A# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: heartbeat Ethernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 02:19:51 PST Jan 6 2010
This host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface external (69.90.97.185): Failed (Waiting)
Interface DMZ (172.17.184.3): Normal
Interface management (172.17.190.21): Normal
slot 1: empty
Other host: Primary - Active
Active time: 718573 (sec)
slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface external (69.90.97.184): Normal (Waiting)
Interface DMZ (172.17.184.1): Normal
Interface management (172.17.190.20): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
<--- More --->
Link : heartbeat Ethernet0/1 (up)
Stateful Obj xmit xerr rcv rerr
General 95652 0 32393180 17
sys cmd 95652 0 95652 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 31023337 0
UDP conn 0 0 506848 0
ARP tbl 0 0 767343 17
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 7 33110626
Xmit Q: 0 1 95652
PRDDMZFW-A# exit
01-14-2010 11:05 AM
Active/Standby configuration:
I see that the secondary unit is reporting tha the external interface failed.
Interface external (69.90.97.185): Failed (Waiting)
Is this interface showing up on the firewall?
sh int external?
What does the HP switch end show? It shows up as well?
on the asa if you do "cap capexternal interface external" and then issue "ping 69.90.97.184" and then issue a "sh cap capexternal" do you show any packets leaving the interafce or coming back?
Try moving this interface to another port on the swtich.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: