Hi Jon,

There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.

Thanks,

P

pbrjones1 wrote:
Hi Jon,
There are a total of 4 switches between this interface port pair.  According to the switch team all switches are correctly communicating the FW interfaces at layer 2.  Note, none of the other HA interface pairs have any problems communicating with one another.  They are all Normal status.  I believe the switch team checked the trunk and did not find any errors.
Thanks,
P

Sorry to be asking basic questions - are the subnet masks set the same for the 2 interfaces ?

Jon

Jon,

No problem at all.

The subnets are the same for the pair of interfaces:  /23.

P

Okay, can the standby firewall ping a local device on that vlan that is connected to the switch that the active firewall is on ?

Jon

Hi

Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.

P

pbrjones1 wrote:
Hi
Both Primary and Secondary can ping a variety of ip addresses on the same subnet the problem interface belongs too.  If a ping is not allowed the device at least appears in the arp table after the ping attempt.
P

I understand that but if the secondary can ping an IP on the switch attached to the active then we know for a fact there is a working L2 path for that vlan across all the switches.

Apologies if you have already confirmed this.

Jon

Reaching out to the applicable teams to test this.

Thanks.

P

Is this in routed or transparent mode? I have not tested it in routed mode.

http://tools.cisco.com/Support/BugToolKit/

you can go to the above link login with your CCO ID and then key in this defect ID

CSCte79575 ASA: TFW sh fail output shows Normal(waiting) when Sec unit is act

-KS

Jon

The secondary was able to ping addresses of devices connected to the switch that is also connected to the
primary firewall.

Kusankar,

There is a SSM-4GE card in play.  The firmware of the FW 8.0(4)32 and I see that the bug references 8.2(2). I see the Normal (Waiting) occuring for just one of the interfaces, and this is occuring only on the Secondary node which is currently in standby mode. I do not know if this status remains when the Secondary node is in active mode.

P

Kusankar,

As an add-on to my prior post.  The one node interface pair involved with this Normal (Waiting) status (showing only the secondary node), cannot ping each other.

I have done captures of the ping tests and can see the pings leaving the applicable interface but the pings never reach the other nodes interface. I have tested this from Secondary to Primary and vice versa.

Thanks,

P

I recreated a scenario with the SSM-4GE card and filed that defect. I tested it with 7.2.4 8.0.4 as well and saw the same issue.

I am sure you are running into the same defect. I have modified the release note to indicate the codes that showed the behavior.

I guess routed mode shows the same issue as well.

I am still waiting on the defect to be resolved. In the meanwhile you can try the work around that I listed in that bug release notes.

-KS

might be a new bug.

also ASA links they need to be part of same broadcast domain, you need to make sure the vlan is trunked between switches and make sure spanning-tree portfast is enable on the ports. Make sure is there no stp loop happening!

Requesting a new switchport be configured for this problem interface.  Will update the results.

Thanks,

P