I have a strange problem that i'm struggling to find an answer to, perhaps someone can shed some light on the situation.
We have a pair of 5525-x setup with active/standby configuration, our servers use our data center providers switches (Cisco, HSRP configuration) as default gateway, some of the routes on the default gateway point back to our internal ASA's for VPN's etc,(all devices so far, servers, ASA's and switches are all on the same subnet).
This works fine initially but after 5 minutes communication between internal servers and servers on the other end of the VPNs is lost. Ping fails with TTL expired and tracert shows the HSRP devices bouncing between each other. Further debugging shows that the MAC table entry of the ASA on the default gateway has been lost and not renewed. This ties in with the MAC aging time on the device. If i ping the default gateway from the ASA the address is added back to the table and comms work correctly again for 5 minutes.
The weird thing is the above setup with the ASA is replacing a Juniper firewall and the Juniper doesnt experience the same problem. I dont want to add any static etc but i'm running out of ideas.
Also I am wondering why all the devices are in the same subnet? Wouldn't it be simpler to have the hosts on their own network and HSRP running for redudancy of their network and then having a separate Vlan between the Routers and the ASAs?
Can't say I have run into this exact problem myself. Usually the ASAs have had problems towards the the Clients/Servers behind them rather than the other way around. One problem has sometimes been the ARP timeout value of the ASA and the server (for some reason) changing the interface (and therefore MAC address) on which it has a certain IP address (configured for Static NAT on the ASA).
Doenst the traffic from the VPN connection help with this situation or is it just the traffic from the ASA that restores the connectivity. Or is it perhaps that the networks/hosts behind the VPN connection wont even initiate connections?
Does both of the routers/switches have route for the remote networks pointing towards the ASAs interfaces primary IP address?
Have you debugged ARP or done ARP capture on the ASA to determine if the routers/switches are even trying to use ARP to determine the MAC address of the ASA gateway interface? ASA should to my understanding always answer ARP requests for its interface IP address whatever you might have configured related to ARP on the ASA.
I have a very similar issue once. Not sure if its the same as you, but in the end in turned out to be a bad NAT config on the ASA. I'd created a static NAT for an internal subnet that was doing overload NAT to the outside interface of the ASA.Of course this should have been a dynamic NAT rather than a static.
My symptoms were exactly the same as yours. As soon as I corrected my NAT config, everything worked properly.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :