Re: Standby ASA - only one ping reply

d-fillmore · ‎11-02-2010

Hi - My customer has a pair of ASAs in an active/standby pair.

If we ping an address on the standby device from a device on the same subnet, we get a response to the first ping and then the rest time out.

I we watch the live event log, we see the four other pings get dropped, despite the fact that we've enabled icmp to that interface.

After that we cannot ping it, unless we reset the pc interface and then we get the same again.

Show failover looks fine.

Has anyone come across this kind of behaviour before? It's not service affecting but my customer is worried about the health of the failover process

Any advice greatly appreciated

Cheers, Dom

Federico Coto Fajardo · ‎11-02-2010

Hi,

How do you have both ASAs connected?

Do you have both ASAs connected directly with a network cable or connected to the same switch for the failover link?

Also, the interfaces on both ASAs share the same VLAN on the same switch or different switches?

Federico.

Panos Kampanakis · ‎11-02-2010

Why are pings dropped? What is the log drop reason?

PK

d-fillmore · ‎11-03-2010

Hi Guys - Thanks for your responses.

The failover interfaces of the firewalls are connected by a cross over cable and the host and both vlan interfaces in question are plugged into the same L2 switch - the toplogy is about as simple as it could be

Cheers, Dom

Federico Coto Fajardo · ‎11-03-2010

Hi,

You're saying that the four ethernet connections from the ASAs are plugged into the same L2 switch?

By four connections i mean (both outside and both inside interfaces of both ASAs)?

If this is so... are both outsides and both insides separate in a different VLAN on the switch?

Could you also check the switch itself that there are no STP loops and the ports are up and operational fine?

Federico.