TAC Stumped/ :-(

Brett Walters · ‎09-22-2010

ASA5510 with IPS module and 3750G stacked switches. Everything is working normal...so we introduced two new Barracuda devices inline (Web Filter and IM Filter) on the same subnet at the 3750 Core switch and the ASA Inside interface. Here's where it gets fun. Switch can ping the ASA, and pass traffic to the Internet just fine, through the two Barracuda devices. The two Barracuda devices can ping each other, but cannot ping the ASA or the switch. Neither the switch nor the ASA can ping either Barracuda device.

Switch - 10.1.200.1/28

ASA inside - 10.1.200.2/28

CudaA - 10.1.200.10/28

CudaB - 10.1.200.11/28

Have tried defaulting the gateway for the Cuda's to either switch or ASA without success. Both Cuda's work on two separate networks in this same design and inline placement (one behind a PIX and before a switch and the other behind an ASA5505 and before a switch). Have tried intra-interface traffic allowing and not and have talked to both the LAN switching team and ASA team at TAC...neither of which seems to find anything.

Suggestions?

Nagaraja Thanthry · ‎09-22-2010

Hello,

Can you configure capture on the ASA's inside interface and post the output here?

access-list capture permit ip any host 10.1.200.10

access-list capture permit ip any host 10.1.200.11

access-list capture permit ip host 10.1.200.10 any

access-list capture permit ip host 10.1.200.11 any

capture capin access-list capture interface inside

Once you configure the above, try to ping the Barracuda from the firewall. Once it fails, please collect the following outputs:

show capture capin

show arp | i inside

Please post those outputs here.

Regards,

NT

Brett Walters · ‎09-22-2010

We've been reviewing these with Cisco. There are no packets captured when we ping the Barracuda device(s).

We get packets when pinging the switch on this same ACL. The show arp just shows the switch info (ip/mac).

1: 09:38:21.463660 802.1Q vlan#200 P0 192.168.1.15 > 192.168.2.44: icmp: echo request
   2: 09:38:21.463934 802.1Q vlan#200 P0 192.168.2.44 > 192.168.1.15: icmp: echo reply
   3: 09:38:23.713631 802.1Q vlan#200 P0 192.168.1.15 > 192.168.2.44: icmp: echo request
   4: 09:38:23.713921 802.1Q vlan#200 P0 192.168.2.44 > 192.168.1.15: icmp: echo reply

and

inside 10.1.200.1 0022.bed0.8849 30

Nagaraja Thanthry · ‎09-22-2010

Hello,

OK, I guess the problem could be that the Barracuda does not respond to ARP requests (or the response is not in standard format). Let us try the following:

If you know the MAC address of the Barracuda device, add a static entry on the ASA for the Barracuda:

arp inside

Now, try to ping again and see if the capture sees any traffic towards Barracuda. If possible, you can configure a static entry on the Barracuda for the ASA IP/MAC and see if the packet returns as well.

Regards,

NT

Brett Walters · ‎09-22-2010

Not sure I can get the Barracuda MAC from the console - I will have to check. I am not onsite anymore - but will be on

Monday again. This has been quite frustrating. I am going to try and arrange for the switch team and ASA team to talk to me at the same time

to discern, so we aren't pointing fingers at each other for the issue.

Jon Marshall · ‎09-22-2010

Bwalters613 wrote:

ASA5510 with IPS module and 3750G stacked switches. Everything is working normal...so we introduced two new Barracuda devices inline (Web Filter and IM Filter) on the same subnet at the 3750 Core switch and the ASA Inside interface. Here's where it gets fun. Switch can ping the ASA, and pass traffic to the Internet just fine, through the two Barracuda devices. The two Barracuda devices can ping each other, but cannot ping the ASA or the switch. Neither the switch nor the ASA can ping either Barracuda device.

Switch - 10.1.200.1/28

ASA inside - 10.1.200.2/28

CudaA - 10.1.200.10/28

CudaB - 10.1.200.11/28

Have tried defaulting the gateway for the Cuda's to either switch or ASA without success. Both Cuda's work on two separate networks in this same design and inline placement (one behind a PIX and before a switch and the other behind an ASA5505 and before a switch). Have tried intra-interface traffic allowing and not and have talked to both the LAN switching team and ASA team at TAC...neither of which seems to find anything.

Suggestions?

You've probably been asked these sort of questions already but -

1) when you try to ping the barracuda devices from the switch or the ASA what do the arp tables show on the switch/ASA

2) when you try to ping the switch or ASA from the barracuda what do the arp tables show on the barracudas

3) have you tried packet capture on the ASA to see if when you ping from the barracudas the ICMP request actually gets to the ASA

By the sounds of it the barracudas are running in transparent mode ie. L2 between the switch and ASA so the default-gateway should make no difference.

Jon

Brett Walters · ‎09-22-2010

See previous, but I agree. The Barracudas are out of the box, IP configured only. so they are in Audit mode. I can take them out of line, connect the to the switch and give them a server-based IP and get to them just fine. Just not the switch/ASA network.