Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

recommended port-security settings for ASA HA failover

I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:

interface GigabitEthernet0/8

description ASA-Primary-Out

switchport access vlan 200

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection limit rate 500

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?

I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

1 REPLY
Cisco Employee

recommended port-security settings for ASA HA failover

Hello,

This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).

Per the port-security config guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391

"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."

Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.

-Mike

905
Views
0
Helpful
1
Replies
CreatePlease to create content