[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

Scott Miller fordlove at gmail.com
Tue Nov 25 12:27:23 EST 2014 

In my setup, each ASA has a different IP.  When the failover becomes
active, it assumes the IP of the active unit, and when the primary comes
back online, it assumes the IP of the failover unit.  The documentation for
this setup can also be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html

Active/Standby Failover Overview

Active/Standby failover enables you to use a standby ASA to take over the
functionality of a failed unit. When the active unit fails, it changes to
the standby state while the standby unit changes to the active state. The
unit that becomes active assumes the IP addresses (or, for transparent
firewall, the management IP address) and MAC addresses of the failed unit
and begins passing traffic. The unit that is now in standby state takes
over the standby IP addresses and MAC addresses. Because network devices
see no change in the MAC to IP address pairing, no ARP entries change or
time out anywhere on the network.

Scott

On Tue, Nov 25, 2014 at 9:50 AM, Ahsan Rasheed <ahsanrasheed9 at gmail.com>
wrote:

> Hi Guys,
>
>
>
> Actually I would like to know if you guys can provide me the solution on
> below issue.
>
>
>
> we are providing internet to one of our customer. our Connection is
> connected on customer onsite 3 com switch. on 3com switch, his two ASA
> firewalls are connected, Primary/Secondary as Active/Standby.
>
> We are providing /30 IP to customer. So customer is using single public IP
> address on both ASA firewalls. He is having issue of duplicate Mac address
> on his side when his primary ASA fails, his fail-over is not working unless
> he reboots the connection between us.
>
>
>
> 1.So the temporary solution customer has to reboot the connection every
> time to make it work on fail-over or We (ISP) has to clear the arp from our
> core switch. This solution is manual, customer wants to do fail-over
> automatically.
>
>
>
> 2. I asked customer to use /29 IP on their side we can provide so he can
> use different public IP’s on both firewalls. He denied to use /29.He urged
> to use single public IP on both ASA firewalls.
>
>
>
> 3. I asked customer to use router facing to us and use /30 IP on router. He
> denied to use router between us & firewalls.
>
>
>
> Any other solution is possible, can we(ISP) use on our side to clear his
> arp automatically when his primary ASA firewall drops the connection and
> try to connect the secondary firewall same public IP but different Mac
> address.
>
>
>
>
>
> Thanks & Regards,
> Ahsan Rasheed
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list