To whoever can help:
I've setup a pair of ASA 5515X firewalls in an active/standby failover group. When I issue the command ip address 172.16.1.2 255.255.255.0 standby 172.16.1.3 from the management interface configuration mode, I'm able to ping and connect via ssh or asdm for period of time. If I let the interface go idle for any extended period of time and then attempt to ping it again, I get one ping off and then "Request timed out." The only way to get the interface to begin accepting traffic again is to change the IP address again, or reload each device in sequence.
I've tested this effect from 2 different workstations on the same network and both end up with the same results: a single ping and then "request timed out." I've disbled the firewalls on each of the workstations (not that it would matter) just to make sure I had an open line of communication with the ASA, yet the problem persists. This occurs even if I set an IP with no standby on each unit.
The weird thing is, the switches do not experience this behavior when attempting to ping or ssh to the ASAs. My workstation will not be able to ping it, but the switch that is connected to the management is able to ping and SSH to the ASAs with no problems. My current setup is like this:
Gi1/0/18 (VLAN 999) = Management Interface on ASA1 172.16.1.2
Gi2/0/18 (VLAN 999) = Management Interface on ASA2 172.16.1.3
Gi1/0/10 (VLAN 999) = Workstation 172.16.1.100
SVI 999 = 172.16.1.1
I've set console logging to debug on the ASAs and watched as the first ping came in...and then nothing. So it almost seems as though as if the problem is on the C3750 because the packets just aren't making it to the management interface. Just writing this out has sorta given me a logical perspective to maybe analyze the switch a bit more in depth. I'd still like to see if anyone has any ideas as to what might be causing this behavior.
Thanks for any insight anyone might be able to provide.
The information you have given does seem to point to a wierd situation.
Essentially when in Failover pair the ASAs should to my understanding have a MAC address that is alway son the Active unit and a MAC address that is always on the Standby unit. Same naturally goes for the IP address therefore even though the switch of the active unit happens the ARP should stay the same.
I am not aware of any other IP/MAC like there might be with Cisco Routers HSRP implementations.
To my understanding the Management interface has had some changes when comparing the original ASA5500 series and the new ASA5500-X series.
One big change is ofcourse the fact that the interface has been disabled as a Data interface and can only be used for management purposes. And there have been mentions on Cisco documents that it couldnt be used in any high availability setups.
Here is a quote from a Cisco document explaining migration from ASA5500 series to ASA5500-X series
Management Port Configuration Changes
The ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.
• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.
• The shared management port cannot be used as a part of a high availability configuration.
If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.
The ASA 8.6 configuration guide also states the following
Management 0/0 Interface on the ASA 5512-X through ASA 5555-X
The Management 0/0 interface on the ASA 5512-X through ASA 5555-X has the following characteristics:
•No through traffic support
•No subinterface support
•No priority queue support
•No multicast MAC support
•The IPS SSP software module shares the Management 0/0 interface. Separate MAC addresses and IP addresses are supported for the ASA and IPS module. You must perform configuration of the IPS IP address within the IPS operating system. However, physical characteristics (such as enabling the interface) are configured on the ASA.
What I am wondering here is if this could have anything to do with the fact that the ASA5500-X series ASA CX or IPS management is also handled through this management port. I am not sure if there is even a chance that the management IP address of the CX or IPS could be configured to overlap with the actual IP address of the Management interface.
I was personally quite confused at first when I got my ASA5515-X with ASA CX. The Management interface had its IP address and also ASA CX had a management IP address on the same interface but this didnt show on the interface configuration. It could be reset on the ASDM side through the Startup Wizard atleast. You could skip all the other phases and just apply the CX settings if you wanted to change that management IP address.
You have not mention if you have either IPS or CX. To be honest I am not 100% sure but I think if the ASA comes with the SSD HD then atleast in CX case there should be an evaluation license so you could actually use it and therefore there would be a management IP address also.
One thing you could naturally do on the ASAs is to "debug arp" and monitor that traffic and compare it to what you are seeing on the switch and the hosts.
I dont think you should be seeing 2 different MAC addresses on a single switch port unless its maybe somehow related to the CX/IPS setup
On my ASA5515-X for example I could use these commands to view the IP addresses configured for CX or IPS management (I have CX)
show module ips details
show module cxsc details
For example in my case
some output omitted
ASA-CX# show module cxsc details
Getting details from the Service Module, please wait...
Card Type: ASA CX5515 Security Appliance
Model: ASA CX5515
Software version: 9.1.1
MAC Address Range: f872.ea24.ed03 to f872.ea24.ed03
App. name: ASA CX
App. Status: Up
App. Status Desc: Normal Operation
App. version: 9.1.1
Data Plane Status: Up
Mgmt IP addr: 10.0.250.251
Mgmt Network mask: 255.255.255.0
Mgmt Gateway: 10.0.250.2
Mgmt web ports: 443
Mgmt TLS enabled: true
While my Management interface configuration is
ip address 10.0.250.250 255.255.255.0
As for your question about the Management interface and its IP addresses. To my understanding you are unable to separate any interface from the actual Failover process. You can only specify that some interfaces are not monited with regards to Failover but their configuration will still change depending on the Failover state.
So I would presume that even though you manually set the interface IP address separately on the units that some Failover event might trigger that the other units interface configuration would be overwritten by the other unit.
I would imagine that the Management interface should work in a Failover setup because they dont give an option to use the Management interface in the way you are attempting. Though again the documents are pretty vague with regards to this information.