[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

[Ahsan Rasheed]

Hi Guys,



Actually I would like to know if you guys can provide me the solution on
below issue.



we are providing internet to one of our customer. our Connection is
connected on customer onsite 3 com switch. on 3com switch, his two ASA
firewalls are connected, Primary/Secondary as Active/Standby.

We are providing /30 IP to customer. So customer is using single public IP
address on both ASA firewalls. He is having issue of duplicate Mac address
on his side when his primary ASA fails, his fail-over is not working unless
he reboots the connection between us.



1.So the temporary solution customer has to reboot the connection every
time to make it work on fail-over or We (ISP) has to clear the arp from our
core switch. This solution is manual, customer wants to do fail-over
automatically.



2. I asked customer to use /29 IP on their side we can provide so he can
use different public IP’s on both firewalls. He denied to use /29.He urged
to use single public IP on both ASA firewalls.



3. I asked customer to use router facing to us and use /30 IP on router. He
denied to use router between us & firewalls.



Any other solution is possible, can we(ISP) use on our side to clear his
arp automatically when his primary ASA firewall drops the connection and
try to connect the secondary firewall same public IP but different Mac
address.





Thanks & Regards,
Ahsan Rasheed