11-22-2013 04:58 AM - edited 02-21-2020 05:02 AM
I have two Cisco ASA 55xx series. These two are in HA mode. Firewall01 two ports connecting to Nexus 55XX Switch 01 and these are in Port channel. Firewall02 two ports connecting to Nexus 55XX Switch 02 and these are in Port channel. VLAN 10 with Subnet 10.10.10.0/28.
Nexus SW01 : VLAN 10 with HSRP
Firewall's VLAN 10, gateway is HSRP IP address.
SW01 : 10.10.10.2
SW02 : 10.10.10.3
HSRP IP : 10.10.10.1
FW01 : 10.10.10.4
FW02 ; 10.10.10.5
Problem: I am not able to ping Firewall IPs from Nexus Switches.
When I checked ARP entry in the for the Firewalls IPs; I have observed in the ARP table; both Fiwewall IPs having same Mac address and I have checked the MAC address in the Firewall; that MAC address is Port channel MAC address in the Firewall.
I am thinking this is an issue (same MAC address fo both IPs) , how to reslove this issue ?
Thanks
Venkat
11-23-2013 09:42 AM
Generally speaking the firewalls' portchannels should each have a unique MAC address. By default it should be the lowest numbered channel group interface MAC address as the port-channel MAC address. (Reference)
When failover occurs, a gratuitous ARP should establish the newly active ASA as associated with the proper address.
Since you mentioned having a Nexus core, you aren't running a VPC for the portchannel are you? Also, are you using the NX-OS arp synchronize feature? (Reference)
11-24-2013 11:54 PM
Hi Mavin,
I am not using vPC for this Port-channel.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: