strange failover problem--primary firewall take over standby firewall IP address while no failover occours

Unanswered Question
May 27th, 2010

Hi Folks,

I have a strange problem at the moment, not sure if any of you ever encounter this problem before, or could some one give me some hint what it might cause this.

Platform cisco ASA 5505 Security Plus license firewall--------->redundant pair

OS 8.2(2)

Problem description: These two firewalls are setup as active/standby failover pair, every so often, the primary firewall claim to router own both primary firewall and standby firewall external interfaces IP.  So that it appears to the system, the secondary firewall offline

However if you logged on the primary firewall, checking failover status, the failover cluster shows everything is fine.

checking the failover history, there was no failover occurs at all.

primary firewall can ping itself and secondary firewall fine. secondary firewall can ping primary firewall but not public internet.

Checking on internet gateway router, both primay firewall IP and secondary firewall IP resolving to primary firewall external interface Mac address.

everything will go back to normal by either restart the secondary firewall or force secondary firewall to be active.

This failover cluster has been setup for months and worked fine until recently the problem occours, it's not causing any downtime but it's really annoying, So if anyone could give me a help, that would be much appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Fri, 05/28/2010 - 13:36


Not sure why this is happening..

In normal circumstances, you see on the Internet router the IPs for both units with their corresponding MAC address correct?

In other words, from the outside router, the ARP table has an entry for the outside IP of the primary unit with its corresponding MAC and another entry for the IP of the secondary unit with the MAC of the secondary unit correct?

When the problem happens, you see an ARP with both IPs mapping to the MAC of the primary Firewall?



This Discussion

Related Content