Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
620
Views
0
Helpful
3
Replies

ASA firewalls with identical ifPhysAddress

yjdabear
VIP Alumni
VIP Alumni

‎12-16-2008 07:56 AM

I posted over at the Firewall subform, but I've found a little more info that's more pertinent to Network Management: I have a problem with a third-party nms tool that keeps getting confused about two different multi-context ASAs in separate geographic regions. These two ASAs are not a failover pair, so they shouldn't be taking over each other's MAC addr. It turns out the tool is confused by the identical ifPhysAddress reported by both ASAs:

snmpwalk asa1 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.1 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................

snmpwalk asa2 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.3 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................

However, I don't find this MAC addr anywhere in the "system", "admin", and presumably any other contexts of the two ASAs. I see no overlap in MAC addr ranges, according to "show interface" and "show module".

My question is: How is ifPhysAddress populated? Is it controlled by any configurable setting via CLI or ASDM? What's the impact of changing this ifPhysAddress to make it unique? Is it service-interrupting?

Labels:
0 Helpful
3 Replies 3

Joe Clarke
Cisco Employee
Cisco Employee

‎12-23-2008 10:51 AM

It looks like this only occurs in ASA code 7.x. I have an ASA running 8.0 code, and my MAC is different. However, I have seen a few ASA bugs which had interface output showing the same MAC for all interfaces. Changing the MAC would be service-impacting as ARP entries would need to be updated. If you do change them, you should do so in a maintenance window.

0 Helpful

yjdabear
VIP Alumni
VIP Alumni
In response to Joe Clarke

‎12-23-2008 12:41 PM

Do you have "no mac-address auto" configured on your ASA? According to TAC, it's because of this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mngcntxt.html#wpxref18679

We have "no mac-address auto" on all the ASAs' "system" config, yet only these two ASAs are using auto-generated virtual MAC addrs on the management0/0 interface in their contexts. The other ASAs use the physical (burnt-in) MAC addrs, which TAC doesn't have an explanation for. TAC says their lab ASA behaves the same (in terms of using auto-generated virtual MAC with "no mac-address auto") as these two ASAs my NMS tools is having trouble telling apart.

0 Helpful

Joe Clarke
Cisco Employee
Cisco Employee
In response to yjdabear

‎12-23-2008 12:48 PM

I saw mention of mac-address auto, but I am not using it. I am not using contexts on my ASA, either.

0 Helpful
Customers Also Viewed These Support Documents