Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Active Standby ASA Failover interface Mac address

Hi Everyone,

When ASA is config as Active and standby then the failover interface never swap the IP address but other interfaces do.

Need to know when standby ASA  becomes active will it swap the mac address with Failover  interface of Active ASA?

Regards

MAhesh

2 ACCEPTED SOLUTIONS

Accepted Solutions
Super Bronze

Re: Active Standby ASA Failover interface Mac address

Hi,

The old CCNP Firewall book does seem to mention that there is no chance for Failover LAN interfaces

"The address swap occurs on every ASA interface except the LAN failover, which always remains unchanged"

- Jouni

Super Bronze

Re: Active Standby ASA Failover interface Mac address

Hi,

Seems they stay the same. I was not aware of this though I guess it something you might miss as you are actually looking at the Data interfaces IP/MAC addresses if you are seeing trouble with a Failover pair.

What I find very strange is that this isnt clearly stated in the Configuration Guide or Command Reference of the ASA. Or atleast I don't see a specific mention about the actual Failover link/interface but rather the mention of the Data interfaces which do change IP and MAC. (Or I have completely missed it)

Yet its stated in some older documents

Here is a quote:

The failover link IP address and MAC address do not change at                 failover. The active IP address for the failover link always stays with the                 primary unit, while the standby IP address stays with the secondary unit.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#pri

- Jouni

8 REPLIES
Super Bronze

Active Standby ASA Failover interface Mac address

Hi,

The interface IP address and MAC address of the Active unit should always be the same.

When the Failover happens the formed Standby device which now becomes Active should get the same IP address and MAC address as the previous Active unit.

So essentially there is no change in the ARP for connected devices hen the Active ASA changes and therefore there should be no outage in the connections and traffic forwarding.

- Jouni

New Member

Active Standby ASA Failover interface Mac address

Hi Jouni,

As per CBT  videos it says Failover interface do not swap the IP address but all other interfaces swap the IP address?

Is this correct?

Need to confirm also failover interface mac address also get swapped or not?

Regards

MAhesh

Super Bronze

Active Standby ASA Failover interface Mac address

Hi,

To my understanding they do as we specifically configure a primary and a standby IP address for the Failover link also.

I don't really have any Failover pair handy with which I could confirm this but I would imagine that the Active unit always keeps the primary IP address configured with "failover" command

failover interrface ip x.x.x.1 255.255.255.0 standby x.x.x.2

- Jouni

New Member

Re: Active Standby ASA Failover interface Mac address

Hi Jouni,

I also can not test at home as i have only 1 asa with plus license nor i can at  work.

At work only if we have some scheduled change for ASA.

Lets see if someone  in forum can confirm if this is true or not?

Best regards

Mahesh

Super Bronze

Re: Active Standby ASA Failover interface Mac address

Hi,

The old CCNP Firewall book does seem to mention that there is no chance for Failover LAN interfaces

"The address swap occurs on every ASA interface except the LAN failover, which always remains unchanged"

- Jouni

New Member

Re: Active Standby ASA Failover interface Mac address

Hi jouni,

So does it mean that they never swap ips right?

Thanks

Mahesh

Super Bronze

Re: Active Standby ASA Failover interface Mac address

Hi,

Seems they stay the same. I was not aware of this though I guess it something you might miss as you are actually looking at the Data interfaces IP/MAC addresses if you are seeing trouble with a Failover pair.

What I find very strange is that this isnt clearly stated in the Configuration Guide or Command Reference of the ASA. Or atleast I don't see a specific mention about the actual Failover link/interface but rather the mention of the Data interfaces which do change IP and MAC. (Or I have completely missed it)

Yet its stated in some older documents

Here is a quote:

The failover link IP address and MAC address do not change at                 failover. The active IP address for the failover link always stays with the                 primary unit, while the standby IP address stays with the secondary unit.

Source:

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080aefd11.shtml#pri

- Jouni

New Member

Active Standby ASA Failover interface Mac address

Hi Jouni,

Many thanks that we both came to same conclusion.

Best regards

Mahesh

725
Views
0
Helpful
8
Replies