cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9283
Views
5
Helpful
7
Replies

ASA active/standby failover with mac address

waqas gondal
Level 1
Level 1

Hi,

 

I have 2 ASA 5512 appliances running version 9.14 and will be doing active/standby failover between them. I was wondering if the config I have planned for them is accurate and where I would add the virtual mac addresses for the Gi0/0 and Gi0/1 interfaces. Would it be on the interface itself or with the failover commands?

 

Regards,

 

Waqas

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

In addition to what you have, you should add to each unit the global configuration command "failover".

We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

View solution in original post

7 Replies 7

Marvin Rhoads
Hall of Fame
Hall of Fame

In addition to what you have, you should add to each unit the global configuration command "failover".

We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

Thanks for your response,

 

I am aware that the failover command is needed, I left it out so I would only enter it when both units were ready. I was under the impression that the MAC address was needed to avoid arp issues if the secondary device took over.

 

And I am running these devices in single context mode.

 

Regards,

 

Waqas

Marvin,

 

The first part of your post is correct, both units need to have the 'failover' command; however, the ASA will NOT assign virtual MAC addresses in single context mode.  By default, the burned-in MAC address of the ASA that you designate as the primary FW in the failover pair corresponds to the active IP address of the given data interface.  The burned-in MAC address of the secondary unit corresponds to the standby address of the SAME interface.  In order to maintain a seamless switchover in the event of a failover, the ASAs will swap both the active MAC and IP addresses for each data interface.  If you do NOT configure a standby IP address, then no standby MAC address will be maintained.  So best practice is to configure virtual MAC addresses in an Active/Standby setup running in single-context mode (Active/Standby failover is the only option when you are running in single-context mode) with the goal of achieving a stateful failover.

 

Basic Failover Configuration for Primary and Secondary ASAs (using IPsec site-to-site tunneling to protect the failover link - only works in a stateful failover deployment):

 

failover
failover lan unit primary
failover lan interface FOC Gi0/6
failover replication http
failover link FOS Gi0/7
failover interface ip FOC 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip FOS 192.168.11.1 255.255.255.0 standby 192.168.11.2
failover ipsec pre-shared-key *****


failover

failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/7
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FOC 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip FOS 192.168.11.1 255.255.255.0 standby 192.168.11.2
failover ipsec pre-shared-key *****

You don't have to use 2 x physical interfaces for the failover control and the OPTIONAL stateful links, but if you have the interfaces to do so and you have an extremely high amount of traffic it is a good idea to do so.  I hope this helps to clear up any confusion.

Hi,

The point of having a virtual MAC address is not for the case in which you don't have a standby IP address, because, even in this case, in the event of a failover, both IP and MAC will move to the secondary unit. (as you said)

 

The point of having a virtual MAC for an A/S scenario is that in which the secondary unit boots first, and uses for some time its own burned-in/physical MAC address because it does not know the MAC of the primary unit (currently offline).

If the primary unit comes online after some time, the active/secondary unit will change its MAC to be the one of the primary unit, possibly causing some service disruption.

 

(for instance, ASA doesn't send gratuitous ARPs for static NAT, so you have to clear the ARP cache of some adjacent L3 device)

 

Thanks,

Octavian

 

 

Thank you for that information, but I am already aware of that and it was not included b/c it was not part of the question.

 

Thanks,

 

Shawn

OK, I have this config. Are the 1st Macs virtual and the second macs the Burned in address of the secondary ASA?
 See bottom 4 lines.
failover
failover lan unit primary
failover lan interface failover Management0/0
failover replication http
failover mac address GigabitEthernet0/1 4403.a701.54c1 d48c.b5c2.6151
failover mac address GigabitEthernet0/2 4403.a701.54c2 d48c.b5c2.6152
failover mac address GigabitEthernet0/3 4403.a701.54c3 d48c.b5c2.6153
failover mac address GigabitEthernet0/0 4403.a701.54c0 d48c.b5c2.6150

Hi jroy777,

 

Your configuration is close, but we still need to work on it.  If you are ONLY asking me to look at the bottom four lines, then the answer to your question is "no".  The idea of using virtual MAC addresses is to take the BIA MAC addresses out of the picture so they should ALL be virtual.  See an example below:

 

failover mac address GigabitEthernet1/1 a201.0b0a.0001 a201.0a0a.0002
failover mac address GigabitEthernet1/2 a201.0b0b.0001 a201.0a0b.0002
failover mac address GigabitEthernet1/3 a201.0b0c.0001 a201.0a0c.0002
failover mac address GigabitEthernet1/4 a201.0b0d.0001 a201.0a0c.0002

 

NONE of the MAC addresses listed above are the BIA MACs from either of the ASAs...they are 100% made-up and need to be that way for many reasons.  The IP addresses for the interfaces and the rest of the failover configuration on both the Primary and Secondary units are critical as well, but I am merely answering your question about the virtual MACs for the interfaces you are using in the failover configuration of the Primary ASA.  The virtual MAC addresses listed for each interface are in the following order:

 

Primary ASA Virtual MAC               Secondary ASA Virtual MAC

 

Please do NOT use the BIA in your configuration and let me know if I can answer any other question(s) that you have.  Thank you.

 

Shawn

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: