Home > Cisco, VMware > vSphere and Cisco ASA not playing nice

vSphere and Cisco ASA not playing nice

The client I am currently working at uses a Cisco ASA firewall. It has a number of interfaces and one of them is connected to a Cisco 3750-E switch with a vlan in which our VMware vSphere cluster also has a connection. You still with me? Ok.

This setup seems ok, but we are having a strange issue with it. It showed up when we brought our Microsoft Unified Access Gateway into the mix. The MS UAG is running in a virtual machine and has a portal for our terminal server applications as well as the owa interface for our Exchange environment.

All was well and everything was working…in the beginning. Soon we encountered connectivity problems when trying to go to the owa webmail portal. Usually the portal would work, but every now and then the site would give a ‘cannot find’ error. Configuring the UAG with it’s persistent static routes can be tricky to begin with, but these strange problems did not help.

Things that did nothing:
Rebooting the UAG.
Removing IP’s from nics and re-adding them.
Removing and re-adding the static routes.
Reconfiguring the UAG TMG firewall to be more open.

All these had no effect on the issue. Eventually my colleague figured out that the webmail-out interface for the UAG had no ARP entry in the arp table on our Cisco ASA firewall. So that seemed a good explanation for pc’s not being able to find the portal. Adding a static entry for the webmail-out interface to the arp table resolved our issue, for a while that is.

During a maintenance evening installing patches etc. The UAG was rebooted and our problem returned. Even though the ARP entry was in the arp table on the firewall. But now the UAG was reporting a duplicate IP on the network. After some testing it seems the correct way to do this is:

1. Remove IP from webmail-out interface on UAG.
2. Delete static ARP entry on ASA firewall.
3. Give webmail-out interface the correct ip.
4. Add the static ARP entry to the ASA firewall.

This procedure works. It might be a bit of work for a simple reboot…but at the moment it will have to do.

With this in mind we went on a google search and found a post by a Dutch blogger that experienced similar problems.

The solution apparently is disabling the Proxy ARP feature on the ASA interface. Further testing will need to be done since this might impact other machines on our network.

Categories: Cisco, VMware Tags:
  1. No comments yet.
  1. No trackbacks yet.