firewall weirdness

Anyone willing to help on this would be greatly appreciated. Setup is:

We recently got a 2nd internet connection for redundancy. Bought a
couple ecessa devices which will help with this as they do
authoritative dns, WAN (isp) virtualization, failover, etc. We also
have a 2nd cisco asa for firewalling the backup site.

We have both our isp connections at two different locations (vlan’d
over a 10GB connection). Kicker is, when we connect the isp connection
we’ve had for years to the second firewall (different IP address for
now), we eventually lose all internet traffic through said isp
connection.

Sometimes it takes 10 min, sometimes up to 30 min, but eventually both
in and outbound traffic seems to quit. Unplugging this isp connection
from the ‘backup’ firewall gets things flowing again.

The second isp connection we recently got does not seem to do this.

Any ideas, suggestions? We are a bit stumped here.


Stevo

On 6/30/2015 10:46 AM, Stevo wrote:[color=blue]

Anyone willing to help on this would be greatly appreciated. Setup is:

We recently got a 2nd internet connection for redundancy. Bought a
couple ecessa devices which will help with this as they do
authoritative dns, WAN (isp) virtualization, failover, etc. We also
have a 2nd cisco asa for firewalling the backup site.

We have both our isp connections at two different locations (vlan’d
over a 10GB connection). Kicker is, when we connect the isp connection
we’ve had for years to the second firewall (different IP address for
now), we eventually lose all internet traffic through said isp
connection.

Sometimes it takes 10 min, sometimes up to 30 min, but eventually both
in and outbound traffic seems to quit. Unplugging this isp connection
from the ‘backup’ firewall gets things flowing again.

The second isp connection we recently got does not seem to do this.

Any ideas, suggestions? We are a bit stumped here.
[/color]
I had the same symptoms on a project. My problem turned out to be a bug
in the modem firmware. The firewall would periodically validate it was
talking to the proper modem. After a while the modem started returning
its 10.xx address instead of its public IP address. The firewall
stopped passing traffic to the modem but still periodically would send a
validation query. At some point (minutes to hours later) the modem
would start sending its public address; the firewall was happy and
started to pass traffic (until sometime later when the cycle would repeat).

Just a thought.
Bob