Guest

Preview Tool

Cisco Bug: CSCvi17263 - UNKNOWN PAT backup on Slave unit in cluster

Last Modified

Sep 19, 2019

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

201.2(1.40)

Description (partial)

Symptom:
We discovered that the initiated traffic hitting NAT pool x.x.x.x, would fail if it lands on the slave unit-1-1 since we have failed to obtain a valid NAT pool backup on the current slave unit-1-1. We can see that when we run the following command:



Firepower-module1# show nat pool cluster

IP EXT 198.x.x.x, owner unit-1-1, backup <UNKNOWN>

IP EXT 198.x.x.x, owner unit-1-1, backup <UNKNOWN>

IP EXT 198.x.x.x, owner unit-2-1, backup unit-1-1

Conditions:

1. Have a single node in cluster as Master and join a SLAVE.
2. For pat/nat pool, you would notice the SLAVE does not have a valid backup
3. Initiate traffic hitting such PAT/NAT pool, and traffic would fail if it lands on the slave unit

firepower(config)# cluster exec show nat pool cluster | include UNKNOWN
unit-1-1(LOCAL):******************************************************


unit-2-1:*************************************************************
IP spirent_outside:dns-server-pat-pool 20.1.44.4, owner unit-1-1, backup <UNKNOWN>
IP spirent_outside:dns-server-pat-pool 20.1.44.1, owner unit-1-1, backup <UNKNOWN>
IP spirent_outside:http-server-pat-pool 20.1.14.2, owner unit-1-1, backup <UNKNOWN>
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.