[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

Ahsan Rasheed ahsanrasheed9 at gmail.com
Tue Nov 25 17:00:29 EST 2014


Hi David, Fabien & all who replies ,



First I would like to say thank you so much for helping me on this issue.



I would like to clear few things. Customer is using /30 IP on Active
Firewall and Standby configured as no IP on its outside interface. Whenever
fail-over occurs, the issue is having Customer is getting duplicate IP
address message and fail-over is not working with us only. Because our Core
switch has already mac address of Active ASA with that IP. When
fail-over occurs
standby using same IP but different mac. So Arp entry on core switch with
that IP is not clearing unless someone has to drop the connection between
ISP & customer or someone clear the arp entry manually on our(ISP) end. We
are providing this customer radio link, so every time customer has to
reboot the radio to make it fail-over work on his side.



“ one important thing, Customer is saying his both firewall is working fine
as Active/Standby with other provider Comcast. Fail-over is working
perfectly with no issues with Comcast”. Why he is having issue with us. Why
our core switch is not getting that GARP’s to update CAM table as an
adjacent although Comcast is working fine.



Customer refused to use /29 IP block.

Customer refused to use Router.



As per customer, they are not using HSRP/VRRP, they are using
Active/Standby ASA firewalls.





Do you guys think, in this scenario the only solution is to customer should
use Virtual Mac address on his firewalls. If yes then how to use the
Virtual mac address for Active/Standby ASA with single IP on active ASA, no
IP on standby ASA.





I have read the below one comment in one thread:



Dear Rajesh,



You are right that *gratuitous ARP injected by ASA to other connected
Device. But the best solution to implement failover is to use a virtual mac
address, if you will use the Virtual mac address for failover then the ARP
entries will not get changed and there will be no timeout anywhere on the
network. If you are not using the virtual mac address then if failover
occurs in that case the arp entries will be changed and when the new device
takes over the active state then it will send the gratituous arp*



*Regards,*

 *Aakil*




Thanks & Regards,
Ahsan Rasheed

On Tue, Nov 25, 2014 at 2:34 PM, David White, Jr. (dwhitejr) <
dwhitejr at cisco.com> wrote:

> Hi Ahsan,
>
> The customer cannot configure the 'same' IP address on both ASAs in an
> Active/Standby pair.
> Each ASA's outside interface must have it's own IP (or the Standby could
> be configured without an IP - but in that case the physical interface
> would not be monitored for all failures).
>
> When the ASAs failover, they swap both IPs and MAC addresses -
> therefore, they shouldn't run into a 'duplicate MAC' case.  Both ASAs
> will send out GARPs to update the CAM/ARP tables of adjacent devices.
>
> Why isn't configuring a /29 acceptable to the customer?  It is the only
> way to allow the ASA pair the IPs it needs to have failover configured
> properly.
>
> Sincerely,
>
> David.
>
> On 11/25/2014 11:50 AM, Ahsan Rasheed wrote:
> > Hi Guys,
> >
> >
> >
> > Actually I would like to know if you guys can provide me the solution on
> > below issue.
> >
> >
> >
> > we are providing internet to one of our customer. our Connection is
> > connected on customer onsite 3 com switch. on 3com switch, his two ASA
> > firewalls are connected, Primary/Secondary as Active/Standby.
> >
> > We are providing /30 IP to customer. So customer is using single public
> IP
> > address on both ASA firewalls. He is having issue of duplicate Mac
> address
> > on his side when his primary ASA fails, his fail-over is not working
> unless
> > he reboots the connection between us.
> >
> >
> >
> > 1.So the temporary solution customer has to reboot the connection every
> > time to make it work on fail-over or We (ISP) has to clear the arp from
> our
> > core switch. This solution is manual, customer wants to do fail-over
> > automatically.
> >
> >
> >
> > 2. I asked customer to use /29 IP on their side we can provide so he can
> > use different public IP’s on both firewalls. He denied to use /29.He
> urged
> > to use single public IP on both ASA firewalls.
> >
> >
> >
> > 3. I asked customer to use router facing to us and use /30 IP on router.
> He
> > denied to use router between us & firewalls.
> >
> >
> >
> > Any other solution is possible, can we(ISP) use on our side to clear his
> > arp automatically when his primary ASA firewall drops the connection and
> > try to connect the secondary firewall same public IP but different Mac
> > address.
> >
> >
> >
> >
> >
> > Thanks & Regards,
> > Ahsan Rasheed
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>


More information about the cisco-nsp mailing list