ASA firewalls with identical ifPhysAddress

Unanswered Question
Dec 16th, 2008
User Badges:
  • Gold, 750 points or more

I posted over at the Firewall subform, but I've found a little more info that's more pertinent to Network Management: I have a problem with a third-party nms tool that keeps getting confused about two different multi-context ASAs in separate geographic regions. These two ASAs are not a failover pair, so they shouldn't be taking over each other's MAC addr. It turns out the tool is confused by the identical ifPhysAddress reported by both ASAs:


snmpwalk asa1 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.1 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................


snmpwalk asa2 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.3 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................


However, I don't find this MAC addr anywhere in the "system", "admin", and presumably any other contexts of the two ASAs. I see no overlap in MAC addr ranges, according to "show interface" and "show module".


My question is: How is ifPhysAddress populated? Is it controlled by any configurable setting via CLI or ASDM? What's the impact of changing this ifPhysAddress to make it unique? Is it service-interrupting?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Joe Clarke Tue, 12/23/2008 - 10:51
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

It looks like this only occurs in ASA code 7.x. I have an ASA running 8.0 code, and my MAC is different. However, I have seen a few ASA bugs which had interface output showing the same MAC for all interfaces. Changing the MAC would be service-impacting as ARP entries would need to be updated. If you do change them, you should do so in a maintenance window.

yjdabear Tue, 12/23/2008 - 12:41
User Badges:
  • Gold, 750 points or more

Do you have "no mac-address auto" configured on your ASA? According to TAC, it's because of this:


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mngcntxt.html#wpxref18679


We have "no mac-address auto" on all the ASAs' "system" config, yet only these two ASAs are using auto-generated virtual MAC addrs on the management0/0 interface in their contexts. The other ASAs use the physical (burnt-in) MAC addrs, which TAC doesn't have an explanation for. TAC says their lab ASA behaves the same (in terms of using auto-generated virtual MAC with "no mac-address auto") as these two ASAs my NMS tools is having trouble telling apart.

Joe Clarke Tue, 12/23/2008 - 12:48
User Badges:
  • Cisco Employee,
  • Hall of Fame,

    Founding Member

I saw mention of mac-address auto, but I am not using it. I am not using contexts on my ASA, either.

Actions

This Discussion