Have you tried to run the traceroute from the ASA? If this is successful, there should not be a layer 2 problem between the ASA and the border router.

Also, can you ping from the internal host to the border router?

Make sure the permit icmp any any is applied incoming to the outside interface.

Let me know if any of that helps.

James

Trace from a inside LAN workstation to an external site dies at the border router. but from the border router, trace to the same external site succeeds.

trace from an external IP can reach the global IP of the ASA, the ASA can ping the next hop border router and the border router can ping ASA as well.

I have cleared the arp cache and mac-address tables on both router and ASA and I still cant ping any external site.

Btw, I have a permit icmp any any and I can see the request going out of the ASA via debug ICMP trace but I dont see any reply back.

I am thinking this is a Layer 2 problem since the ASA and border router are directly connected.

I am now perplexed and confused as to what to do next…

I do not believe you should be able to ping the outside interface of the ASA from the inside interface. By default the ASA will not allow a packet to exit the same interface it enters. I do not know of a way to change this behavior.

James

Thanks in advance.

got it to work using a layer2 switch trunked to the ASA’s

Yes, I have added the standby IP addresses however I am getting (waiting) failed on my outside interfaces…ooh so close

secure1/production# sh fail
Failover On
Last Failover at: 08:14:52 UTC Oct 11 2008
This context: Failed
Active time: 0 (sec)
Interface outside (xxx.xxx.136.18): Failed (Waiting)
Interface inside (10.10.3.10): Normal
Peer context: Active
Active time: 2428 (sec)
Interface outside (xxx.xxx.136.29): Normal (Waiting)
Interface inside (10.10.3.1): Normal

Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 1913 0
ARP tbl 0 0 15 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
secure1/production#

That doesn’t look right to me. I am not running Active/Active with contexts, but I do have a failover config. Here is the sh fail:

FW-ASA# sh fail
Failover On
Failover unit Primary
Failover LAN Interface: Failover GigabitEthernet0/2 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 21:42:13 CDT Aug 18 2008
This host: Primary - Active
Active time: 4806765 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.226): Normal
Interface DMZ_Servers (10.10.48.1): Normal
Interface DMZ_VPN (10.10.49.1): Normal
Interface DMZ_InternetDump (10.10.126.1): Normal (Not-Monitored)
Interface inside (10.10.100.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up
Other host: Secondary - Standby Ready
Active time: 266 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.0(4)) status (Up Sys)
Interface outside (X.X.X.227): Normal
Interface DMZ_Servers (10.10.48.2): Normal
Interface DMZ_VPN (10.10.49.2): Normal
Interface DMZ_InternetDump (10.10.126.2): Normal (Not-Monitored)
Interface inside (10.10.100.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/6.0(3)E1) status (Up/Up)
IPS, 6.0(3)E1, Up

Stateful Failover Logical Update Statistics
Link : Unconfigured.

It looks like you setup the failover part correctly, but did not put the standby IP address on the interfaces. Here are 2 of the interfaces from my ASAs:

!
interface GigabitEthernet0/1.48
vlan 48
nameif DMZ_Servers
security-level 48
ip address 10.10.48.1 255.255.255.0 standby 10.10.48.2
!
interface GigabitEthernet0/1.49
vlan 49
nameif DMZ_VPN
security-level 49
ip address 10.10.49.1 255.255.255.248 standby 10.10.49.2

You have to add the standby interface to every interface.

Let me know if that helps.