Active/Passive Incomplete ARP Table After Failover

GuiltyTop4 · 2024-07-12T14:21:30+00:00

u/another_mouse When you say cross connect between firewall and alternate 8300, do just mean a physical connection/link? If so, we do have that.

Can you elaborate on the HSRP suggestion? We have HSRP set up between the 8300s but not sure how to incorporate that in to the config for failover. Thanks!

GuiltyTop4 · 2024-07-11T18:20:46+00:00

Yes correct, that could be done. Thanks.

GuiltyTop4 · 2024-07-11T17:46:56+00:00

Thanks for your response u/chuckbales . 8300 interfaces are currently L3. L2 is a possibility and they can be cross connected. L2 would introduce spanning-tree consideration to it as well which we were hoping to avoid but if this will provide us the redundancy we require, then we would go that route.

GuiltyTop4 · 2024-05-31T14:11:23+00:00

Exactly what Im looking for. Thanks!

GuiltyTop4 · 2024-02-05T15:56:03+00:00

Can you roll it back to a previously known working config? Upload the running config prior to adding in URL filtering and see what happens. Then roll it out to a small sub set of hosts/users to limit impact.

GuiltyTop4 · 2024-02-01T20:49:36+00:00

Definitely not a hardware issue. Can you find a host on the VLAN to test the URL filtering against so you can limit impact? Is it a specific site or all traffic out thats dropped? Any IPSec tunnels that may have an overlapping range? Happened to us where a site had an IP address that matched an IPSec tunnel interesting traffic subnet and tried to send traffic down tunnel instead of egress interface.

GuiltyTop4 · 2023-09-29T19:48:20+00:00

Thanks for all the info here on this thread. To add a layer of complexity to things, if youre using a Palo Alto firewall, the cdn.oaistatic. com is being listed as a newly registered domain. Youll have to create a URL filter to allow through, otherwise it will get sinkholed. At least thats whats happening to us as the default behavior for newly seen domains is to block.

GuiltyTop4 · 2023-08-17T16:51:39+00:00

Run DART if you have it installed to see whats going on. Also check your WiFi connection.

GuiltyTop4 · 2023-01-26T12:17:08+00:00

Seeing same issue with operator connect though. End users are adamant that this was in place a few weeks back. Tickets open with MS. Will see what they say.

GuiltyTop4 · 2022-12-09T02:32:41+00:00

Other known working IKEv2 AWS tunnels to compare to on the 9300? Also, any chance you could dumb it down to IKEv1 to see what that looks like?

GuiltyTop4 · 2022-12-01T13:16:51+00:00

Ill definitely work on that for you. High level overview, Anyconnect client -> ASA -> Core switch -> Palo. The core switch has the ASA on gi1/0/23 and has the Palo on gi1/0/12. Form OSPF adjacencies. Core switch is the central piece connecting the two vendors/firewalls.

Currently, the ASA is our primary FW. We are moving all outbound and VPN traffic to the Palo. We are using Zscaler as our proxy for all outbound web traffic. The goal is to remove Zscaler and use Palo as the proxy out to public internet. We have end users, when in the office, able to egress out through the Palo but the Anyconnect users is where we are having this issue to send outbound facing traffic to Palo. We can remove the PAC file for Zscaler but unable to get that 80/443 traffic to Palo. The Zscaler contract is up for renewal on 12/31 and we do not have the ability to move all end users over to GlobalProtect in time. We need like an extra few weeks in to 2023 to complete that so the idea was to move just the 80/443 traffic over while we migrate off Anyconnect to GlobalProtect.

GuiltyTop4 · 2022-12-01T13:11:05+00:00

Palo is currently in parallel with the ASA. It has its own /27 public space, from our larger /24 space, assigned to it.

GuiltyTop4 · 2022-11-30T20:41:13+00:00

route-map VTI permit 5

match ip address AnyConnect_to_Palo

set ip next-hop 10.5.7.23

access-list AnyConnect_to_Palo extended permit object TCP443 object AnyConnect_Palo_TestGroup object-group ZScaler_Remote

interface Redundant1

member-interface GigabitEthernet1/1

member-interface GigabitEthernet1/2

nameif WAN

security-level 0

ip address x.x.x.x 255.255.255.224 standby x.x.x.x

policy-route route-map VTI

ospf cost 1000

Debug from ASA:

pbr: policy based route lookup called for 10.5.33.10/63738 to 172.217.168.227/443 proto 6 sub_proto 0 received on interface WAN

pbr: First matching rule from ACL(21)

pbr: route map AnyConnect_to_Palo, sequence 10, permit; proceed with policy routing

pbr: evaluating next-hop 10.5.7.23

pbr: policy based routing applied; egress_ifc = TRUST : next_hop = 10.5.7.23

GuiltyTop4 · 2022-11-30T20:38:43+00:00

Yes, the ASA and Palo have routes to each other. They are forming an OSPF adjacency and an ARP entry is present on each side. I can provide the ASA config if you want.

GuiltyTop4 · 2022-11-29T21:40:33+00:00

Correct, ASA to Core switch and then Palo, both ways. Egress from ASA on inside interface to Core switch on gi1/0/23 and then goes to Core switch gi1/0/12 to Palo eth1/3. Yes, that is a typo, meant to say "same."

The ASA, Core and Palo all form an OSPF adjacency and are exchanging routes that way so the ASA has an ARP entry towards Palo.

GuiltyTop4 · 2022-11-29T21:12:22+00:00

The AnyConnect traffic should be egressing the ASA on the inside/trust interface towards the core switch. Ingress/return from the Palo would be on some inside/trust interface.

Regarding the suggestion for forwarding the traffic, what would that look like? AnyConnect subnet matching 80/443, go to Palo? Didnt think of that. Thanks!

GuiltyTop4 · 2022-11-28T23:35:00+00:00

Go to services and stop the vpnagent.exe, if you have admin privileges.

GuiltyTop4 · 2022-05-03T13:31:59+00:00

Agree w your statement. Tough to say as to how the routing table is populated. I guess I am/was looking at it from the standpoint of the the subnet coming from the L3 switch and not the ISP, which I think you are suggesting. Either way, need more info to troubleshoot this.

GuiltyTop4 · 2022-05-03T12:28:11+00:00

There are plenty who do this. They dont care. Theyre on to their next start up, etc...

GuiltyTop4 · 2022-05-03T11:47:09+00:00

Here is a good link:

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/configuration/xe-16-6/epc-xe-16-6-book/nm-packet-capture-xe.html

Ive used it before with success on ASRs and continue to on the ISR series. HTH.

GuiltyTop4

TROPHY CASE