[c-nsp] Active/Standy ASA Firewalls are having duplicate IP issue on failover

David White, Jr. (dwhitejr) dwhitejr at cisco.com
Wed Nov 26 10:50:59 EST 2014 

Hi Ahsan,

Replies inline...

On 11/25/2014 5:00 PM, Ahsan Rasheed wrote:
>
> Hi David, Fabien & all who replies ,
>
>  
>
> First I would like to say thank you so much for helping me on this issue. 
>
>  
>
> I would like to clear few things. Customer is using /30 IP on Active
> Firewall and Standby configured as no IP on its outside interface.
> Whenever fail-over occurs, the issue is having Customer is getting
> duplicate IP address message and fail-over is not working with us only.
>

What device is indicating "duplicate IP address"?  And validate the MACs
assigned to that IP.  Are they both really the two ASAs?


> Because our Core switch has already mac address of Active ASA
> with that IP. When fail-over occurs standby using same IP but
> different mac.
>

This is NOT the case.  When a failover occurs, the ASAs will SWAP MACs
(along with IPs), so ARP tables do NOT need to be updated.

> So Arp entry on core switch with that IP is not clearing unless
> someone has to drop the connection between ISP & customer or someone
> clear the arp entry manually on our(ISP) end. We are providing this
> customer radio link, so every time customer has to reboot the radio to
> make it fail-over work on his side.
>

If this is the case, then something else is going on here.
Either:
 (a) the ASAs are misconfigured, and failover is not working, and
instead both ASAs are going 'Active'
 (b) there is another device on the segment with the same IP as that of
the ASA
 (c) the customer is running into a bug

Is it possible to get a packet capture from the switch?

>  “ one important thing, Customer is saying his both firewall is
> working fine as Active/Standby with other provider
> Comcast. Fail-over is working perfectly with no issues with Comcast”.
> Why he is having issue with us. Why our core switch is not getting
> that GARP’s to update CAM table as an adjacent although Comcast is
> working fine.
>

Are the CAM tables not getting updated??? 
Earlier you said the issue was with ARP (IP to MAC mapping)
CAM is MAC to port mapping.

After a 'failover', do you see the Primary's MAC on the Secondary's (ie:
newly Active ASA) port of the switch?


>  Customer refused to use /29 IP block.
>
> Customer refused to use Router.
>
>  
>
> As per customer, they are not using HSRP/VRRP, they are using
> Active/Standby ASA firewalls.
>
>  
>
>  
>
> Do you guys think, in this scenario the only solution is to customer
> should use Virtual Mac address on his firewalls. If yes then how to
> use the Virtual mac address for Active/Standby ASA with single IP on
> active ASA, no IP on standby ASA.
>

No.  A virtual MAC is already in use by the ASA for failover.
The unit which is designated as "Primary" will use it's Burned-in MAC
address to be that of the "Active" IP on that interface.  When a
failover occurs, the unit designated as "Secondary" will assume the
Active role and the IP plus MAC from the Primary unit.  Likewise, the
Primary will now use the Standby IP (if configured) and the Secondary's
Burned-in MAC address.  (ie: the units swap MAC and IPs).

The reason we created the ability to hard-code the MAC addresses is for
this specific case:  Assume the Primary has a hardware failure.  The
Secondary becomes Active (using the Primary's Burned-in MAC).  Now, if
you replace the Primary, when it comes up the Secondary (which is still
Active) will have to change the MAC address it is using because your new
Primary device has a new MAC address.  This condition would require ARP
tables to be updated.  To avoid this, we allow hard-coding of the MAC
addresses.   But this condition ONLY occurs when you physically replace
the Primary ASA.  And even then, the adjacent devices still wouldn't
have a problem if they updated their ARP tables when the GARPs sent from
the ASA.

Sorry for the long explanation, but I wanted to clear up the fact that
hard-coding the MACs won't have any impact on this issue.

Sincerely,

David.

>  
>
>  
>
> I have read the below one comment in one thread:
>
>  
>
> Dear Rajesh,
>
>  
>
> You are right that *gratuitous ARP injected by ASA to other connected
> Device. But the best solution to implement failover is to use a
> virtual mac address, if you will use the Virtual mac address for
> failover then the ARP entries will not get changed and there will be
> no timeout anywhere on the network. If you are not using the virtual
> mac address then if failover occurs in that case the arp entries will
> be changed and when the new device takes over the active state then it
> will send the gratituous arp*
>
>  
>
> *Regards,*
>
>  *Aakil*
>
>
>
>
>
> Thanks & Regards,
> Ahsan Rasheed
>
> On Tue, Nov 25, 2014 at 2:34 PM, David White, Jr. (dwhitejr)
> <dwhitejr at cisco.com <mailto:dwhitejr at cisco.com>> wrote:
>
>     Hi Ahsan,
>
>     The customer cannot configure the 'same' IP address on both ASAs in an
>     Active/Standby pair.
>     Each ASA's outside interface must have it's own IP (or the Standby
>     could
>     be configured without an IP - but in that case the physical interface
>     would not be monitored for all failures).
>
>     When the ASAs failover, they swap both IPs and MAC addresses -
>     therefore, they shouldn't run into a 'duplicate MAC' case.  Both ASAs
>     will send out GARPs to update the CAM/ARP tables of adjacent devices.
>
>     Why isn't configuring a /29 acceptable to the customer?  It is the
>     only
>     way to allow the ASA pair the IPs it needs to have failover configured
>     properly.
>
>     Sincerely,
>
>     David.
>
>     On 11/25/2014 11:50 AM, Ahsan Rasheed wrote:
>     > Hi Guys,
>     >
>     >
>     >
>     > Actually I would like to know if you guys can provide me the
>     solution on
>     > below issue.
>     >
>     >
>     >
>     > we are providing internet to one of our customer. our Connection is
>     > connected on customer onsite 3 com switch. on 3com switch, his
>     two ASA
>     > firewalls are connected, Primary/Secondary as Active/Standby.
>     >
>     > We are providing /30 IP to customer. So customer is using single
>     public IP
>     > address on both ASA firewalls. He is having issue of duplicate
>     Mac address
>     > on his side when his primary ASA fails, his fail-over is not
>     working unless
>     > he reboots the connection between us.
>     >
>     >
>     >
>     > 1.So the temporary solution customer has to reboot the
>     connection every
>     > time to make it work on fail-over or We (ISP) has to clear the
>     arp from our
>     > core switch. This solution is manual, customer wants to do fail-over
>     > automatically.
>     >
>     >
>     >
>     > 2. I asked customer to use /29 IP on their side we can provide
>     so he can
>     > use different public IP’s on both firewalls. He denied to use
>     /29.He urged
>     > to use single public IP on both ASA firewalls.
>     >
>     >
>     >
>     > 3. I asked customer to use router facing to us and use /30 IP on
>     router. He
>     > denied to use router between us & firewalls.
>     >
>     >
>     >
>     > Any other solution is possible, can we(ISP) use on our side to
>     clear his
>     > arp automatically when his primary ASA firewall drops the
>     connection and
>     > try to connect the secondary firewall same public IP but
>     different Mac
>     > address.
>     >
>     >
>     >
>     >
>     >
>     > Thanks & Regards,
>     > Ahsan Rasheed
>     > _______________________________________________
>     > cisco-nsp mailing list  cisco-nsp at puck.nether.net
>     <mailto:cisco-nsp at puck.nether.net>
>     > https://puck.nether.net/mailman/listinfo/cisco-nsp
>     > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list