Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA active/standby failover with mac address

Hi,

 

I have 2 ASA 5512 appliances running version 9.14 and will be doing active/standby failover between them. I was wondering if the config I have planned for them is accurate and where I would add the virtual mac addresses for the Gi0/0 and Gi0/1 interfaces. Would it be on the interface itself or with the failover commands?

 

Regards,

 

Waqas

1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

In addition to what you have,

In addition to what you have, you should add to each unit the global configuration command "failover".

We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

3 REPLIES
Hall of Fame Super Silver

In addition to what you have,

In addition to what you have, you should add to each unit the global configuration command "failover".

We generally don't manually configure the MAC addresses in single context mode since the ASA ill automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event. Reference.

New Member

Thanks for your response, I

Thanks for your response,

 

I am aware that the failover command is needed, I left it out so I would only enter it when both units were ready. I was under the impression that the MAC address was needed to avoid arp issues if the secondary device took over.

 

And I am running these devices in single context mode.

 

Regards,

 

Waqas

New Member

Re: In addition to what you have,

Marvin,

 

The first part of your post is correct, both units need to have the 'failover' command; however, the ASA will NOT assign virtual MAC addresses in single context mode.  By default, the burned-in MAC address of the ASA that you designate as the primary FW in the failover pair corresponds to the active IP address of the given data interface.  The burned-in MAC address of the secondary unit corresponds to the standby address of the SAME interface.  In order to maintain a seamless switchover in the event of a failover, the ASAs will swap both the active MAC and IP addresses for each data interface.  If you do NOT configure a standby IP address, then no standby MAC address will be maintained.  So best practice is to configure virtual MAC addresses in an Active/Standby setup running in single-context mode (Active/Standby failover is the only option when you are running in single-context mode) with the goal of achieving a stateful failover.

 

Basic Failover Configuration for Primary and Secondary ASAs (using IPsec site-to-site tunneling to protect the failover link - only works in a stateful failover deployment):

 

failover
failover lan unit primary
failover lan interface FOC Gi0/6
failover replication http
failover link FOS Gi0/7
failover interface ip FOC 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip FOS 192.168.11.1 255.255.255.0 standby 192.168.11.2
failover ipsec pre-shared-key *****


failover

failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/7
failover replication http
failover link FAILOVER GigabitEthernet0/7
failover interface ip FOC 192.168.10.1 255.255.255.0 standby 192.168.10.2
failover interface ip FOS 192.168.11.1 255.255.255.0 standby 192.168.11.2
failover ipsec pre-shared-key *****

You don't have to use 2 x physical interfaces for the failover control and the OPTIONAL stateful links, but if you have the interfaces to do so and you have an extremely high amount of traffic it is a good idea to do so.  I hope this helps to clear up any confusion.

1104
Views
0
Helpful
3
Replies
CreatePlease login to create content