topic Re: ASA Failover in Network Security

ASA Failover

John.Mayer — Fri, 24 May 2024 05:35:54 GMT

Hi Everyone

Just had a little bit of a confusion with ASA failover and was wondering if anyone had any experience with it

I have two ASA 5500-X in failover mode (Active/Standby), each connected to a different switch in vPC.

I checked the Active and Standby ASA interface MAC addresses on SWT1 and SWT2, and I've got xxx (ASA-Act) MAC on SWT1 as local interface and yyy (ASA-Stdby) MAC on SWT1 as learned via vPC links, but once it fails over, yyy (ASA-Stbdy) becomes local and xxx (ASA-Act) becomes remote on SWT1. it looks like the MAC addresses are changed with failover between ASAs. (I have the same situation when I check by SWT2)

Re: ASA Failover

balaji.bandi — Fri, 24 May 2024 06:11:00 GMT

Is this causing the issue or MAC address changing is the concern here ?

if this is virtual MAC address that is expected : check below guide :

MAC Addresses and IP Addresses

https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/ha_failover.html#pgfId-1209028

Re: ASA Failover

MHM Cisco World — Fri, 24 May 2024 06:16:42 GMT

You need to config PO from each ASA to both NSK.

To be more sure can you share your topology

MHM

Re: ASA Failover

John.Mayer — Mon, 27 May 2024 03:45:38 GMT

It makes sense, but the virtual MAC is not necessarily needed, correct?
My only problem was not being able to tell which physical device is active at the time (the only way to do that is to check the config for failover unit command).

MAC Addresses and IP Addresses in Failover

When you configure your interfaces, you can specify an active IP address and a standby IP address on the same network. Generally, when a failover occurs, the new active unit takes over the active IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network.

Re: ASA Failover

John.Mayer — Mon, 27 May 2024 03:46:59 GMT

Re: ASA Failover

Marvin Rhoads — Mon, 27 May 2024 04:00:38 GMT

Yes, this is normal. When ASAs are configured in an active-standby high availability pair, the MAC address will change dynamically when failover occurs. This happens whether or not you specify a virtual MAC.

Behind the scenes, the newly active member of the HA pair sends a gratuitous ARP to assert ownership of the MAC address associated with the primary interface IP addresses for each data plane interface. This minimizes impact on traffic flowing through the devices as the neighbors do not have to wait for their ARP tables to time out or be manually reset to re-establish the flows.

If there are standby IP addresses configured (these are optional), the newly standby member will do the same for those.

Re: ASA Failover

MHM Cisco World — Mon, 27 May 2024 06:25:29 GMT

https://www.cisco.com/c/dam/en/us/td/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf

page 96

this how you config ASA HA with NSK vPC what you do I think is not correct

MHM

Re: ASA Failover

balaji.bandi — Mon, 27 May 2024 07:22:22 GMT

Sure that way you going to check which one is active and standby - with show commands.

Or if you have NMS you can see on the nexus what interface having more traffic that is active unit

if you have syslog configured you can see the messages when the failover take place - there are number of ways you can detect failover and active unit.