Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2002
Views
0
Helpful
8
Replies

Active Standby ASA Failover interface Mac address

Go to solution
mahesh18
Level 6
Level 6

‎08-04-2013 10:23 AM - edited ‎03-11-2019 07:21 PM

Hi Everyone,

When ASA is config as Active and standby then the failover interface never swap the IP address but other interfaces do.

Need to know when standby ASA  becomes active will it swap the mac address with Failover  interface of Active ASA?

Regards

MAhesh

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎08-04-2013 12:32 PM

Hi,

The old CCNP Firewall book does seem to mention that there is no chance for Failover LAN interfaces

"The address swap occurs on every ASA interface except the LAN failover, which always remains unchanged"

- Jouni

View solution in original post

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-04-2013 01:02 PM

Hi,

Seems they stay the same. I was not aware of this though I guess it something you might miss as you are actually looking at the Data interfaces IP/MAC addresses if you are seeing trouble with a Failover pair.

What I find very strange is that this isnt clearly stated in the Configuration Guide or Command Reference of the ASA. Or atleast I don't see a specific mention about the actual Failover link/interface but rather the mention of the Data interfaces which do change IP and MAC. (Or I have completely missed it)

Yet its stated in some older documents

Here is a quote:

The failover link IP address and MAC address do not change at                 failover. The active IP address for the failover link always stays with the                 primary unit, while the standby IP address stays with the secondary unit.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#pri

- Jouni

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎08-04-2013 11:58 AM

Hi,

The interface IP address and MAC address of the Active unit should always be the same.

When the Failover happens the formed Standby device which now becomes Active should get the same IP address and MAC address as the previous Active unit.

So essentially there is no change in the ARP for connected devices hen the Active ASA changes and therefore there should be no outage in the connections and traffic forwarding.

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-04-2013 12:17 PM

Hi Jouni,

As per CBT  videos it says Failover interface do not swap the IP address but all other interfaces swap the IP address?

Is this correct?

Need to confirm also failover interface mac address also get swapped or not?

Regards

MAhesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-04-2013 12:27 PM

Hi,

To my understanding they do as we specifically configure a primary and a standby IP address for the Failover link also.

I don't really have any Failover pair handy with which I could confirm this but I would imagine that the Active unit always keeps the primary IP address configured with "failover" command

failover interrface ip x.x.x.1 255.255.255.0 standby x.x.x.2

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-04-2013 12:32 PM

Hi Jouni,

I also can not test at home as i have only 1 asa with plus license nor i can at  work.

At work only if we have some scheduled change for ASA.

Lets see if someone  in forum can confirm if this is true or not?

Best regards

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to Jouni Forss

‎08-04-2013 12:32 PM

Hi,

The old CCNP Firewall book does seem to mention that there is no chance for Failover LAN interfaces

"The address swap occurs on every ASA interface except the LAN failover, which always remains unchanged"

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-04-2013 12:35 PM

Hi jouni,

So does it mean that they never swap ips right?

Thanks

Mahesh

0 Helpful

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni
In response to mahesh18

‎08-04-2013 01:02 PM

Hi,

Seems they stay the same. I was not aware of this though I guess it something you might miss as you are actually looking at the Data interfaces IP/MAC addresses if you are seeing trouble with a Failover pair.

What I find very strange is that this isnt clearly stated in the Configuration Guide or Command Reference of the ASA. Or atleast I don't see a specific mention about the actual Failover link/interface but rather the mention of the Data interfaces which do change IP and MAC. (Or I have completely missed it)

Yet its stated in some older documents

Here is a quote:

The failover link IP address and MAC address do not change at                 failover. The active IP address for the failover link always stays with the                 primary unit, while the standby IP address stays with the secondary unit.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#pri

- Jouni

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Jouni Forss

‎08-04-2013 02:02 PM

Hi Jouni,

Many thanks that we both came to same conclusion.

Best regards

Mahesh

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card