topic That's odd. in Network Security

ASA 5525 FAILOVER PROBLEMS

ml12129 — Tue, 12 Mar 2019 09:27:00 GMT

Hey guys, here's a question.

Last year, we depolyed 2 ASAs, and they are configured as failover mode.

Use these commands:

failover interface ip lan_failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip stateful_failover 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface Port-channel2
lacp max-bundle 8
nameif outside
security-level 50
ip address 10.30.14.251 255.255.248.0 standby 10.30.14.252

But this week, we configured 2 new ASAs, still in failover mode, and these 4 ASAs are in the same subnet, we use the same configure, only different is the outside interface.

failover interface ip lan_failover 192.168.1.1 255.255.255.0 standby 192.168.1.2
failover interface ip stateful_failover 192.168.2.1 255.255.255.0 standby 192.168.2.2

interface Port-channel2
lacp max-bundle 8
nameif outside
security-level 50
ip address 10.30.14.253 255.255.248.0 standby 10.30.14.254

So, in my opion, the failover link is just connect to each other, it will not effect the whole network, but when we capture the packet in broadcast domain, we found some 192.168.x.x packets, so is it OK? Thx!~~~

How are your lan_failover and

Marvin Rhoads — Thu, 01 Jun 2017 08:10:05 GMT

How are your lan_failover and stateful_failover interfaces connected? i.e. is it a direct cable or via an intermediate switch?

Generally we would not expect to see the ASA flood out any interface except the connected ones for a given subnet.

Thanks for reply. Direct

ml12129 — Fri, 02 Jun 2017 03:45:14 GMT

Thanks for reply. Direct cable. 1st ASA's G0/6 connect to 2nd ASA's G0/6.

1st ASA's G0/7 connect to 2nd ASA's G0/7.

That's odd.

Marvin Rhoads — Fri, 02 Jun 2017 03:50:52 GMT

That's odd.

Have you conirmed that the source MAC address for the 192.168.x.x traffic is an ASA interface?