cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1584
Views
0
Helpful
2
Replies

Port channel MAC Address for two IPs in ASA

venkateshwarlut
Level 1
Level 1

                   I have two Cisco ASA 55xx series. These two are in HA mode. Firewall01 two ports connecting to Nexus 55XX Switch 01 and these are in Port channel. Firewall02 two ports connecting to Nexus 55XX Switch 02 and these are in Port channel. VLAN 10 with Subnet 10.10.10.0/28.

Nexus SW01 : VLAN 10 with HSRP

Firewall's VLAN 10, gateway is HSRP IP address.

SW01 : 10.10.10.2

SW02 : 10.10.10.3

HSRP IP : 10.10.10.1

FW01 : 10.10.10.4

FW02 ; 10.10.10.5

Problem: I am not able to ping Firewall IPs from Nexus Switches.

When I checked ARP entry in the for the Firewalls IPs; I have observed in the ARP table; both Fiwewall IPs having same Mac address and I have checked the MAC address in the Firewall; that MAC address is Port channel MAC address in the Firewall.

I am thinking this is an issue  (same MAC address fo both IPs) , how to reslove this issue ?

Thanks

Venkat

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Generally speaking the firewalls' portchannels should each have a unique MAC address. By default it should be the lowest numbered channel group interface MAC address as the port-channel MAC address. (Reference)

When failover occurs, a gratuitous ARP should establish the newly active ASA as associated with the proper address.

Since you mentioned having a Nexus core, you aren't running a VPC for the portchannel are you? Also, are you using the NX-OS arp synchronize feature? (Reference)

Hi Mavin,

              I am not using vPC for this Port-channel.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: