topic Hi in Network Security

ASA HA pair broadcasting duplicate MAC

pbarendse — Tue, 12 Mar 2019 07:44:06 GMT

We are using 2 ASA 5512 firewalls as HA pair. Both are uplinked to a switch owned and configured by the ISP in a datacenter. Some time ago one of the uplink ports went to err-disabled on the switch. The messages show that a duplicate MAC address is seen. Further investigation shows that the MAC address concerned is the MAC of the outside interface for the standby ASA. This MAC is sent both by itself as by the primary ASA.

Can this have something to do with the fact that proxy ARP is enabled on the outside?

Hi

Henrik Grankvist — Tue, 10 May 2016 17:57:34 GMT

What MAC address does the primary and the secondary firewall have?

With an ASA in Active/Standby

jan.nielsen — Tue, 10 May 2016 18:23:07 GMT

With an ASA in Active/Standby mode the ip and the interface mac address moves from one ASA to another when a failover event occurs, this could be what you are seeing. The ISP should probably disable whatever protections they have in place in that vlan, as this is common ASA behaviour.

Hello Jan,

pbarendse — Wed, 11 May 2016 07:53:59 GMT

Hello Jan,

I know about the behaviour you are mentioning. That is actually not what is happening. The primary, active firewall is also broadcasting the MAC address of the secondary, passive firewall. Disabling the protection on the switch has been discussed with the provider but they are not allowing that unfortunately...

MAC address outside interface

pbarendse — Thu, 19 May 2016 11:11:53 GMT

MAC address outside interface primary ASA: bc16.65b4.93c3
MAC address outside interface secondary ASA: 78da.6e99.384d