Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Gold

HSRP through a transparent firewall (ASA 5500)

Hi

I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.

on either side of this firewall I have 2 L3 switches that uses HSRP.

so basically the setup is like this 

L3dev1 - ASA - switch - L3dev2

The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.

but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.

There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.

is this an arp problem ?

any ideas anyone ?

Regards

Hobbe

1 ACCEPTED SOLUTION

Accepted Solutions
Silver

Re: HSRP through a transparent firewall (ASA 5500)

Hi

It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.

/Mikael

3 REPLIES
Silver

Re: HSRP through a transparent firewall (ASA 5500)

Hi

It is probably the firewall that not forwards the hsrp packet. Hsrp is using 224.0.0.2 as destination address. Most firewall doesn't forward multicast traffic. Try to "ping 224.0.0.2" and see if you get any response. Also check the firewall logs.

/Mikael

Re: HSRP through a transparent firewall (ASA 5500)

Hi

I have a problem where I have put a ASA5500 into transparent mode and only have one access-rule, permit ip any any.

on either side of this firewall I have 2 L3 switches that uses HSRP.

so basically the setup is like this 

L3dev1 - ASA - switch - L3dev2

The l3dev1 and 2 are both running HSRP and when connected only through a switch it works just fine.

but when I ad the ASA in the middle they loose sight of eachother and starts to do coups.

There is no problem with "normal" traffic and they can ping and telnet each other but HSRP just goes bad.

is this an arp problem ?

any ideas anyone ?

Regards

Hobbe

Hi Hobbe,

As you have permiited ip any any in interfaces,because it is multicast and the other router should see it. the problem  could be a issue with ARP mismatch. where one device has a different ARP table timer and doesn't respond and finally if possible  try configure a specific rule for destination IP multicast address 224.0.0.2 on (UDP) port 1985.

Hope to help !!

Ganesh.H

Gold

Re: HSRP through a transparent firewall (ASA 5500)

Ok all here is the deal and the solution to the problem.

The outside interface was set to permit ip any any

and the Inside Interface was set to the standard permit ip any any less secure network emplicit rule.

when i set up logging i could se that the firewall dropped the inside 224.0.0.2 packets but it let through the 224.0.0.2 from the outside.

So I changed the inside to a Permit ip any any and the firewall started to let the 224.0.0.2 packets through instead of blocking them.

Lesson learned: never use the standard access-list ! even though it looks like it should work.

I will set the answerd to mlind since he was closest.

Thank you both for your help.

1840
Views
5
Helpful
3
Replies