Feb 7th, 2010


I have an ASA5510 connected to an external vendor on the outside inf, and to my mpls network on the inside inf.  It's running in L2 mode, and not blocking anything right yet.  My routers, switch, ASA, and vendor switch are all in the same sub-net.

For some reason ping tests through the ASA take 15 sec to get a response, and will run fine for around 45 sec or so, then hang for 20sec. and then resume.  This cycle repeats.  Taking the ASA out of the path removes this issue so I'm certain it's the ASA.

I spoke with a TAC engineer and he said that the ASA inside and outside inf had to be in different VLANs.  I don't know why that would matter as the inside and outside inf are on different switches.  If they were on the same switch I could understand this being true.

I do remember reading that the ASA doesn't pass BPDUs, and the 20 sec drop would seem right for a spanning tree block, but I don't see anything getting dropped with I debug icmp on the ASA.  I'm baffled at this point.

Any suggestions?

Farrukh Haroon Mon, 02/08/2010 - 01:48

I would first try using two different VLANs. Maybe this is required for the internal ASA classifier but that is highly unlikely because access ports don't see the VLAN tags anyway.

Maybe you have L1/L2 issues on the ports connecting the ASA? Did you check for speed/duplex mismatch etc. on the interfaces connecting the ASA (show interface x/y on the switches)




