[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

Fabien DEDENON dafused.nog at gmail.com
Tue Nov 25 14:37:46 EST 2014


Le 25/11/2014 18:48, Nick Hilliard a écrit :
> On 25/11/2014 17:27, Scott Miller wrote:
>> In my setup, each ASA has a different IP.
>
> which means that active / failover will not operate on a /30.  The OP will
> need /29 or larger.
>
Yes you can use one /30 ip for master and nothing for secondary, this
will not permit monitoring prob for this specific interface.

Some people seems to have verified that gratuitous arp is send (but mac
should stay the same) on failover event by the new master, so other side
should always be ensured of using correct mac address and switch should
learn the right port to forward frames.
-> https://learningnetwork.cisco.com/thread/34401

By the way what do you mean by "customer has to reboot the connection"?
I assume your "core switch" is the one on the uplink of 3com switch.
Does the customer switch well re-learn mac address from the new asa
port? Does Asa mac address change from your uplink point of view (which
whould justify 'clear arp'? if so you may try "failover mac address
<if>" command on asa to force specific mac address use on the uplink
interface so you're sure to be sticked, or simply lower arp timeout on
your "core switch" to an acceptable level.

my 2 cts,

Fabien


More information about the cisco-nsp mailing list