I have two Cisco ASA 55xx series. These two are in HA mode. Firewall01 two ports connecting to Nexus 55XX Switch 01 and these are in Port channel. Firewall02 two ports connecting to Nexus 55XX Switch 02 and these are in Port channel. VLAN 10 with Subnet 10.10.10.0/28.
Nexus SW01 : VLAN 10 with HSRP
Firewall's VLAN 10, gateway is HSRP IP address.
SW01 : 10.10.10.2
SW02 : 10.10.10.3
HSRP IP : 10.10.10.1
FW01 : 10.10.10.4
FW02 ; 10.10.10.5
Problem: I am not able to ping Firewall IPs from Nexus Switches.
When I checked ARP entry in the for the Firewalls IPs; I have observed in the ARP table; both Fiwewall IPs having same Mac address and I have checked the MAC address in the Firewall; that MAC address is Port channel MAC address in the Firewall.
I am thinking this is an issue (same MAC address fo both IPs) , how to reslove this issue ?
Generally speaking the firewalls' portchannels should each have a unique MAC address. By default it should be the lowest numbered channel group interface MAC address as the port-channel MAC address. (Reference)
When failover occurs, a gratuitous ARP should establish the newly active ASA as associated with the proper address.
Since you mentioned having a Nexus core, you aren't running a VPC for the portchannel are you? Also, are you using the NX-OS arp synchronize feature? (Reference)
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :