Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3959
Views
0
Helpful
8
Replies

Configure active and standby mac address in failover

Go to solution
Chin
Level 1
Level 1

‎06-03-2014 04:58 PM - edited ‎03-11-2019 09:17 PM

Hi guys, 

I just have a doubt that, if I configure the active and standby mac address in failover, does it will cause any downtime? 

As I planning to configure the active and standby mac addresses in failover during production time and not wish that it will bring any downtime to me. 

 

Besides that, just need some guideline that do I need to put all the interfaces' mac addresses in failover?

failover mac address GigabitEthernet0/0 0022.90fe.2000 0022.90fe.2001 
failover mac address GigabitEthernet0/1 0022.90fe.3000 0022.90fe.3001
failover mac address GigabitEthernet0/2 0022.90fe.4000 0022.90fe.4001
failover mac address GigabitEthernet0/3 0022.90fe.5000 0022.90fe.5001
 
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Chin

‎06-05-2014 03:05 AM

What brand and model is the router connected to the firewalls?  The problem you are having is most likely with the router and not the ASAs.  I am guessing that the router is not accepting the gratuitous ARP when the ASAs failover.  A solution you could try is to do as you are trying to do...set a MAC address to the interfaces on the ASAs and then configure a static ARP entry on the router.

Other than that, you might need to upgrade the software on the router, or perhaps even upgrade the router itself.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Marius Gunnerud
VIP
VIP

‎06-04-2014 02:12 AM

You will experience a hiccup on the network when this is done as the new mac address will need to be learned / updated on the network devices on the LAN.  And you migh also run into ARP issues and would need to do a clear arp to solve it...but this might not happen.  It is best to do this in a service window.

Why do you want to configure the failover mac for the interfaces?  You don't need to configure the mac address for all interfaces...unless you want to specify the mac for that specific interface.  Why not just let the ASA set up the mac addresses itself?

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marius Gunnerud

‎06-04-2014 11:00 PM

Thanks Marius,

I experiencing the router cannot learn the correct arp entry from secondary firewall while I tried to power off my primary firewall. I have to clean arp to solve the issue in the router. 

My thought that if I put 1 of the interface mac address in failover configuration, that might help the router learn the correct arp entry from primary or secondary router. 

You have mentioned best to do this in service window. What kind of service window to put it to solve this problem?

Thanks

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Chin

‎06-05-2014 03:05 AM

What brand and model is the router connected to the firewalls?  The problem you are having is most likely with the router and not the ASAs.  I am guessing that the router is not accepting the gratuitous ARP when the ASAs failover.  A solution you could try is to do as you are trying to do...set a MAC address to the interfaces on the ASAs and then configure a static ARP entry on the router.

Other than that, you might need to upgrade the software on the router, or perhaps even upgrade the router itself.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marius Gunnerud

‎06-05-2014 07:28 PM

I am using Cisco 2821 router. I will trying to set a MAC address in my failover configuration. 

Does the set a MAC address to the interfaces in ASA. it just only can use when there are Active/Active firewall?

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Chin

‎06-06-2014 12:46 AM

Does the set a MAC address to the interfaces in ASA. it just only can use when there are Active/Active firewall?

I am not sure what you mean by this?

Once you have set the failover MAC address, on the 2821 router set a static arp entry which maps the ASA virtual IP to the MAC address you have configured (where 1.2.3.4 is the virtual IP and aaaa.aaaa.aaaa is the MAC address you configure):

arp 1.2.3.4 aaaa.aaaa.aaaa arpa

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marius Gunnerud

‎06-09-2014 06:34 PM

Hi Marius, 

Seem like set the failover MAC address was not working for me. 

Last friday I was tested the failover MAC address.

TEST 1
1, Power off primary ASA and secondary ASA work as active.
2, 2821 router able to learn the correct arp entries.

TEST 2
1, Power on primary ASA and failover from secondary to primary. 
2, 2821 router able to learn the correct arp entries from ASA.
3, Set failover MAC address, power off primary ASA and secondary ASA be active.
4, 2821 router unable to learn the correct arp entries.

TEST 3
1, Removed failover MAC address from secondary ASA.
2, 2821 router still unable to learn the correct arp entries from ASA.
3, Power up primary ASA and secondary ASA still in active.
4, 2821 router still unable to learn the correct arp entries from ASA.
5, Reboot 2821 router and it able to learn the arp entries from ASA.

I am not sure this issue from router or from the ASA. But I guess I will try to upgrade the router in term of software and hardware. 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Marius Gunnerud

‎06-18-2014 11:23 PM

Thank you for the rating smiley

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Chin
Level 1
Level 1
In response to Marius Gunnerud

‎06-19-2014 05:08 PM

your welcome, just switch to another new router and it solved the issue. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card