I've got CAS applianaces I just upgraded to 4.6.1; issue was also present in 4.3.1. The CAS are configured in a L2 OOB configuration, with a management vlan. The management gateway is made up of 3 routers running hsrp.
The primary, non-service IP is always available via the network, when the device A is active. The secondary, device B, is sometimes not reachable from the gateway. If I attempt to ping the gateway from the secondary, I get ping timeouts; if I run an arp -a, the arp table shows the gateway is reachable via:
at 00:01:02:03:04:05 [ether] PERM on fake0
A show arp on the active hsrp router shows the correct mac for the secondary, but the secondary is not reachable, until I perform an extended ping on the active hsrp router, to the secondary, sourced as the hsrp standby ip address, the gateway.
Any ideas what's causing this, and how to resolve, so the secondary can always reach the gateway?
This might be best tackled in a TAC case. What I can tell you though is that on the CAS the arp is not in the same place you'd expect. arp -a doesn't list the arp entries, but they're kept in separate tables for the internal and external interfaces.
Check out the /proc/click/intern_arpq/table for the untrusted side arp table and /proc/click/extern_arpq/table for the trusted interface's arp table.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...