HSRP through a transparent firewall (ASA 5500)

Answered Question
May 3rd, 2010
User Badges:
  • Gold, 750 points or more

Hi

I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.

on either side of this firewall I have 2 L3 switches that uses HSRP.

so basically the setup is like this 

L3dev1 - ASA - switch - L3dev2


The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.

but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.

There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.


is this an arp problem ?

any ideas anyone ?


Regards


Hobbe

Correct Answer by mlund about 6 years 11 months ago

Hi


It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.


/Mikael

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
mlund Tue, 05/04/2010 - 00:37
User Badges:
  • Silver, 250 points or more

Hi


It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.


/Mikael

Ganesh Hariharan Tue, 05/04/2010 - 01:04
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Hi

I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.

on either side of this firewall I have 2 L3 switches that uses HSRP.

so basically the setup is like this 

L3dev1 - ASA - switch - L3dev2


The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.

but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.

There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.


is this an arp problem ?

any ideas anyone ?


Regards


Hobbe


Hi Hobbe,


As you have permiited ip any any in interfaces,because it is multicast and the other router should see it. the problem  could be a issue with ARP mismatch. where one device has a different ARP table timer and doesn't respond and finally if possible  try configure a specific rule for destination IP multicast address 224.0.0.2 on (UDP) port 1985.


Hope to help !!


Ganesh.H

hobbe Tue, 05/04/2010 - 02:14
User Badges:
  • Gold, 750 points or more

Ok all here is the deal and the solution to the problem.


The outside interface was set to permit ip any any

and the Inside Interface was set to the standard permit ip any any less secure network emplicit rule.

when i set up logging i could se that the firewall dropped the inside 224.0.0.2 packets but it let through the 224.0.0.2 from the outside.

So I changed the inside to a Permit ip any any and the firewall started to let the 224.0.0.2 packets through instead of blocking them.


Lesson learned: never use the standard access-list ! even though it looks like it should work.


I will set the answerd to mlind since he was closest.


Thank you both for your help.

Actions

This Discussion