I have a customer with a failover pair of ASAs 8.0, each with an AIP-SSM. The AIP in the secondary ASA is not accessible via its IP address, so cannot be accessed using IDM or ASDM, or ssh. It can be accessed by sessioning into the module, and it cannot ping anything outside of it. The access-list for the relavent interface on the ASA is "any any".
The secondary ASA itself is accessible with ssh and ASDM.
Nearby devices don't get an arp response for the AIP IP address. The access-list in the AIP permits the IP address we are coming from.
I would check to to see what vlan the SSM management port is connected to on the switch side. If a local device in the same subnet as the SSM is not seeing the arp then it could be a vlan issue. Perhaps the SSM is not in the correct vlan. Try to trace the SSM management port and see which switch it is connected to. From the switch, see what vlan the management port is connected to. From the switch, see if the SSM's mac address is learned on the switch port. You can get the SSM's mac from the ASA by doing "show module 1 detail". You can also connect a pc in the same switch and same vlan as the SSM and see if the pc can ping and arp for the SSM. You can also use the switch SVI to do this ping and arp test. You can also connect a pc directly to the SSM management port via the cross over cable. This will rule out if there could be an issue with the management port of the SSM.
You know how when you get a project handed over to you and it is nearly finished and just few last things to do? So you make the assumption that all the obvious things are right so any problem found must be complex?
Don't do that. Check the cable is actually plugged into the management port.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...