[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Tue Nov 25 15:34:04 EST 2014 

Hi Ahsan,

The customer cannot configure the 'same' IP address on both ASAs in an
Active/Standby pair. 
Each ASA's outside interface must have it's own IP (or the Standby could
be configured without an IP - but in that case the physical interface
would not be monitored for all failures).

When the ASAs failover, they swap both IPs and MAC addresses -
therefore, they shouldn't run into a 'duplicate MAC' case.  Both ASAs
will send out GARPs to update the CAM/ARP tables of adjacent devices.

Why isn't configuring a /29 acceptable to the customer?  It is the only
way to allow the ASA pair the IPs it needs to have failover configured
properly.

Sincerely,

David.

On 11/25/2014 11:50 AM, Ahsan Rasheed wrote:
> Hi Guys,
>
>
>
> Actually I would like to know if you guys can provide me the solution on
> below issue.
>
>
>
> we are providing internet to one of our customer. our Connection is
> connected on customer onsite 3 com switch. on 3com switch, his two ASA
> firewalls are connected, Primary/Secondary as Active/Standby.
>
> We are providing /30 IP to customer. So customer is using single public IP
> address on both ASA firewalls. He is having issue of duplicate Mac address
> on his side when his primary ASA fails, his fail-over is not working unless
> he reboots the connection between us.
>
>
>
> 1.So the temporary solution customer has to reboot the connection every
> time to make it work on fail-over or We (ISP) has to clear the arp from our
> core switch. This solution is manual, customer wants to do fail-over
> automatically.
>
>
>
> 2. I asked customer to use /29 IP on their side we can provide so he can
> use different public IP’s on both firewalls. He denied to use /29.He urged
> to use single public IP on both ASA firewalls.
>
>
>
> 3. I asked customer to use router facing to us and use /30 IP on router. He
> denied to use router between us & firewalls.
>
>
>
> Any other solution is possible, can we(ISP) use on our side to clear his
> arp automatically when his primary ASA firewall drops the connection and
> try to connect the secondary firewall same public IP but different Mac
> address.
>
>
>
>
>
> Thanks & Regards,
> Ahsan Rasheed
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list