Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Blue

ASA firewalls with identical ifPhysAddress

I posted over at the Firewall subform, but I've found a little more info that's more pertinent to Network Management: I have a problem with a third-party nms tool that keeps getting confused about two different multi-context ASAs in separate geographic regions. These two ASAs are not a failover pair, so they shouldn't be taking over each other's MAC addr. It turns out the tool is confused by the identical ifPhysAddress reported by both ASAs:

snmpwalk asa1 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.1 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................

snmpwalk asa2 interfaces.ifTable.ifEntry.ifPhysAddress

interfaces.ifTable.ifEntry.ifPhysAddress.3 : OCTET STRING- (hex): length = 6

0: 00 a0 c9 04 01 01 -- -- -- -- -- -- -- -- -- -- ................

However, I don't find this MAC addr anywhere in the "system", "admin", and presumably any other contexts of the two ASAs. I see no overlap in MAC addr ranges, according to "show interface" and "show module".

My question is: How is ifPhysAddress populated? Is it controlled by any configurable setting via CLI or ASDM? What's the impact of changing this ifPhysAddress to make it unique? Is it service-interrupting?

3 REPLIES
Cisco Employee

Re: ASA firewalls with identical ifPhysAddress

It looks like this only occurs in ASA code 7.x. I have an ASA running 8.0 code, and my MAC is different. However, I have seen a few ASA bugs which had interface output showing the same MAC for all interfaces. Changing the MAC would be service-impacting as ARP entries would need to be updated. If you do change them, you should do so in a maintenance window.

Blue

Re: ASA firewalls with identical ifPhysAddress

Do you have "no mac-address auto" configured on your ASA? According to TAC, it's because of this:

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mngcntxt.html#wpxref18679

We have "no mac-address auto" on all the ASAs' "system" config, yet only these two ASAs are using auto-generated virtual MAC addrs on the management0/0 interface in their contexts. The other ASAs use the physical (burnt-in) MAC addrs, which TAC doesn't have an explanation for. TAC says their lab ASA behaves the same (in terms of using auto-generated virtual MAC with "no mac-address auto") as these two ASAs my NMS tools is having trouble telling apart.

Cisco Employee

Re: ASA firewalls with identical ifPhysAddress

I saw mention of mac-address auto, but I am not using it. I am not using contexts on my ASA, either.

330
Views
0
Helpful
3
Replies