I have an ASA5510 connected to an external vendor on the outside inf, and to my mpls network on the inside inf. It's running in L2 mode, and not blocking anything right yet. My routers, switch, ASA, and vendor switch are all in the same sub-net.
For some reason ping tests through the ASA take 15 sec to get a response, and will run fine for around 45 sec or so, then hang for 20sec. and then resume. This cycle repeats. Taking the ASA out of the path removes this issue so I'm certain it's the ASA.
I spoke with a TAC engineer and he said that the ASA inside and outside inf had to be in different VLANs. I don't know why that would matter as the inside and outside inf are on different switches. If they were on the same switch I could understand this being true.
I do remember reading that the ASA doesn't pass BPDUs, and the 20 sec drop would seem right for a spanning tree block, but I don't see anything getting dropped with I debug icmp on the ASA. I'm baffled at this point.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...