I have a cisco ASA 5506 active/standy configured and whenever I swap the active member to a particular firewall, I am unable to ping certain IP addresses both internally and externally. This particular host machine has numerous IPs on it and I can ping all but 1 of those IPs from either firewall, so it is a single IP from a single host that I cannot ping.
firewall 1: (fails)asasov# show arp | grep 197.
inside 10.75.197.96 0050.569e.e28c 379 - Ping works
inside 10.75.197.95 0050.569e.e28c 598 - Ping fails
inside 10.75.197.103 0050.569e.e28c 649 - Ping works
firewall 2: (works)
asasov# show arp | grep .197
inside 10.75.197.96 0050.569e.e28c 491 - Ping works
inside 10.75.197.95 0050.569e.e28c 710 - Ping works
inside 10.75.197.103 0050.569e.e28c 758 - Ping works
The IP addresses are configured the same on the host;
inet 10.75.197.95/8 brd 10.255.255.255 scope global secondary ens160
valid_lft forever preferred_lft forever
inet 10.75.197.96/8 brd 10.255.255.255 scope global secondary ens160
valid_lft forever preferred_lft forever
inet 10.75.197.103/8 brd 10.255.255.255 scope global secondary ens160
valid_lft forever preferred_lft forever
There is no additional filtering on the network to this host.
I am not able to ping the firewall IP from the host with firewall 1 active:
ping -I 10.75.197.96 10.0.0.30
PING 10.0.0.30 (10.0.0.30) from 10.75.197.96 : 56(84) bytes of data.
^C
--- 10.0.0.30 ping statistics ---
15 packets transmitted, 0 received, 100% packet loss, time 14343ms
yet as soon as I swap the active firewall, it works;
ping -I 10.75.197.96 10.0.0.30
PING 10.0.0.30 (10.0.0.30) from 10.75.197.96 : 56(84) bytes of data.
64 bytes from 10.0.0.30: icmp_seq=1 ttl=255 time=0.918 ms
64 bytes from 10.0.0.30: icmp_seq=2 ttl=255 time=0.574 ms
From the same host, I can use another IP (10.0.87.1) which works regardless of which firewall is active. If I add another IP, it works regardless of firewall (10.0.87.1).
The only change when the firewalls are swapped would be that the inside interface is connected to a different switch, but these switches are trunked and it's only that single IP that has an issue. I have cleared any and all arp caches on host, firewall, switch yet I still can't ping.
I would add that I have 2 of these rogue IPs on 2 different servers.
Suggestions welcome!
No comments:
Post a Comment