I am hoping some genius here will be able to shed some light on my problem.
I have a 3350 switch acting as my outside segment. Extrenal vendor routers etc connect to this. They target a privte ip 192.168.68.x my pix then has static's that do PAT. The pix I have works fine but if I connect my failover pix up inbound static's will not build.
What I have also tried is writing an identical configuration for an ASA 5520. When I do noting but outbound connections build. The default gateway is the outside interface eveyting looks fine. This all worked great when connected to a 3COM hub. The pix failover functionality worked great. I put the switch in evrything is configured fine with a single VLAN for simplicity, again the default gateway for management is the Pix outside interface address. I can reachj this fine!!
I have attached the PIX back up relaoded it and the connections all build fine.
I am at a total loss here to figure this one out. I am praying someone can offer a suggestion!
And you are saying when the failover PIX is connected, that inbound connections no longer work to the server?
If so, what do the syslogs show on the PIX? Are you seeing the inbound connection created? Or are the packets not even reaching the PIX? Also, I assume that failover is configured properly and operational (show failover output shows all interfaces Normal, and one unit Active, while the other unit is Standby)?
Are you doing LAN or Serial based failover?
I would first check L2 issues. ARP table on upstream router matches Active PIX's MAC address. The failover unit (in a Standby state) should have zero impact on the network. Traffic should not be routed to it, and it should not be responding to any ARP requests for addresses other than the Standby IP.
Please see the attached diagram. I have checked the ARP table on the switch and it matches the MAC of the active PIX.
There is only one VLAN on the switch, so everything is very simple. What I have tried is to break the failover pair and just run with one PIX. The secondary is the one that works fine. When you reboot all the xlates are created.
I then bring the PIX down and connect up an ASA with an identical configuration. This still only builds out bound connections. As I say I am at a complete loss. laye 1 is fine I have checked the cabling and interface counters. Layer 2 seems to be grand when I check the ARP table.
Are you saying that both the inside and outside interfaces of the PIXes are connected to the same switch on the same VLAN? Or, does the switch only connect the outside interfaces of the PIX.
Also, I thought the issue was only when you added the failover PIX to the set. But you also mention you are swapping out the PIXes for the ASA. So, are these two seperate issues? And what type of ASA? 5505 or one of the other ones?
Assuming that when you replace the PIXes with the ASA (and the interfaces of the ASA are connected to different switches or vlans), then all you need to do is clear the ARP entry on the upstream router after swapping in the ASA.
If you have both interfaces of the ASA connected to the same vlan, then that complicates things. It should work unless you use a 5505.
To clarify the diagram I sent. A switch 3550 is connected to the outside interface of the PIX. The Inside interface is connected into a 6509. The switch on the outside has our vendor routers sitting on it.
They all target the outside interface address of 192.168.68.20. If I do a clear arp on the switch I do see the correct address for the default gateway.
I only swap in the ASA to see if it is a hardware related issue. So you think that the arp cache on the vendor routers is causing the problem?
Its the only thing that I can think of because everything looks fine otherwise.
>I only swap in the ASA to see if it is a hardware related issue. So you think that the
>arp cache on the vendor routers is causing the problem?
Yes, when swapping the ASA for PIX, it is most likely an ARP issue with the upstream router.
I'm still a little perplexed about the issue when you add the failover PIX. However, if you are using Serial failover, AND you said you were running on the Secondary (as Active), then IF (and only if) you booted the Secondary when the Primary was not connected, then the Secondary would be using the burned-in MAC address of it's own interfaces. As soon as the Primary is plugged in, the MACs will change (because the failover set always uses the burned-in MAC of the Primary unit for the Active IP). So if all the above conditions are true, then this is how you could also be running into the issue when you add the other PIX to the failover set.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...