Any Cisco ASA Guru here
I noticed last week that our ASA5510 was flapping (switching between the primary and secondary circuits) The only time I have ever seen this was due to a loose patch cable, interface going bad, power going bad, etc (usually layer 1 related issues). I opened up a TAC case w/ Cisco and their CCIE security god said that a public DNS (220.127.116.11) was reported to Cisco to be having issues earlier in the week.
He suggested that I change the DNS I was using on our firewall from 18.104.22.168 to --> 22.214.171.124 I'm like WTF??? Are you serious???
To my surprise, his suggestion worked!!!! Now, I'm more confused than ever ... I'm a freegin CCNP and I have never seen or heard of anything like this in all my Networking experience or studies.
Anyone ever seen this before? I googled his solution and found nada.
You can say any foolish thing to a dog, and the dog will give you a look that says, 'My God, you're right! I never would've thought of that!'
Are you sure you changed the DNS server? It sounds more like you changed the object being tracked by the SLA.
Mind sharing the exact changes made?
|reply to aight |
Does the ASA use the DNS server to verify if the connection is up? Sounds like that's what is happening.
I'm no expert, but on all of our system we use 126.96.36.199 as primary DNS, and 188.8.131.52 as secondary. We do not have any kind of failover setup.
Failover is accomplished on an ASA through the use of SLA responders, not DNS. However, 184.108.40.206, 220.127.116.11 and the like as targets for these responders.