ā05-03-2010 03:35 AM - edited ā03-06-2019 10:54 AM
Hi
I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.
on either side of this firewall I have 2 L3 switches that uses HSRP.
so basically the setup is like this
L3dev1 - ASA - switch - L3dev2
The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.
but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.
There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.
is this an arp problem ?
any ideas anyone ?
Regards
Hobbe
Solved! Go to Solution.
ā05-04-2010 12:37 AM
Hi
It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.
/Mikael
ā05-04-2010 12:37 AM
Hi
It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.
/Mikael
ā05-04-2010 01:04 AM
Hi
I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.
on either side of this firewall I have 2 L3 switches that uses HSRP.
so basically the setup is like this
L3dev1 - ASA - switch - L3dev2
The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.
but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.
There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.
is this an arp problem ?
any ideas anyone ?
Regards
Hobbe
Hi Hobbe,
As you have permiited ip any any in interfaces,because it is multicast and the other router should see it. the problem could be a issue with ARP mismatch. where one device has a different ARP table timer and doesn't respond and finally if possible try configure a specific rule for destination IP multicast address 224.0.0.2 on (UDP) port 1985.
Hope to help !!
Ganesh.H
ā05-04-2010 02:14 AM
Ok all here is the deal and the solution to the problem.
The outside interface was set to permit ip any any
and the Inside Interface was set to the standard permit ip any any less secure network emplicit rule.
when i set up logging i could se that the firewall dropped the inside 224.0.0.2 packets but it let through the 224.0.0.2 from the outside.
So I changed the inside to a Permit ip any any and the firewall started to let the 224.0.0.2 packets through instead of blocking them.
Lesson learned: never use the standard access-list ! even though it looks like it should work.
I will set the answerd to mlind since he was closest.
Thank you both for your help.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide