Buy or Renew
Buy or Renew
Cisco + Splunk: Itā€™s a new day for your data. Learn more.
Ā 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
2760
Views
5
Helpful
3
Replies

HSRP through a transparent firewall (ASA 5500)

Go to solution
hobbe
Level 7
Level 7

ā€Ž05-03-2010 03:35 AM - edited ā€Ž03-06-2019 10:54 AM

Hi

I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.

on either side of this firewall I have 2 L3 switches that uses HSRP.

so basically the setup is like this 

L3dev1 - ASA - switch - L3dev2

The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.

but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.

There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.

is this an arp problem ?

any ideas anyone ?

Regards

Hobbe

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
mlund
Level 7
Level 7

ā€Ž05-04-2010 12:37 AM

Hi

It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.

/Mikael

View solution in original post

0 Helpful
3 Replies 3

Go to solution
mlund
Level 7
Level 7

ā€Ž05-04-2010 12:37 AM

Hi

It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.

/Mikael

0 Helpful

Go to solution
Ganesh Hariharan
VIP Alumni
VIP Alumni

ā€Ž05-04-2010 01:04 AM 

Hi
I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.
on either side of this firewall I have 2 L3 switches that uses HSRP.
so basically the setup is like this  
L3dev1 - ASA - switch - L3dev2
The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.
but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.
There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.
is this an arp problem ?
any ideas anyone ?
Regards
Hobbe

Hi Hobbe,

As you have permiited ip any any in interfaces,because it is multicast and the other router should see it. the problem  could be a issue with ARP mismatch. where one device has a different ARP table timer and doesn't respond and finally if possible  try configure a specific rule for destination IP multicast address 224.0.0.2 on (UDP) port 1985.

Hope to help !!

Ganesh.H

Go to solution
hobbe
Level 7
Level 7

ā€Ž05-04-2010 02:14 AM

Ok all here is the deal and the solution to the problem.

The outside interface was set to permit ip any any

and the Inside Interface was set to the standard permit ip any any less secure network emplicit rule.

when i set up logging i could se that the firewall dropped the inside 224.0.0.2 packets but it let through the 224.0.0.2 from the outside.

So I changed the inside to a Permit ip any any and the firewall started to let the 224.0.0.2 packets through instead of blocking them.

Lesson learned: never use the standard access-list ! even though it looks like it should work.

I will set the answerd to mlind since he was closest.

Thank you both for your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card