A lot of Mac ... moved from interface1 to interface2 messages

patoberli · ‎05-16-2012

Hi

We have the following setup:

A catalyst6500 12.2(33)SXI6 with a FWSM 3.2(18) and an ASA5585 8.4.3(9) connected, plus the same a second time with HSRP on the catalyst and Active/Standby on both firewalls.

The FWSM and ASA have both several Contextes configured, all in transparent mode. Each Context has a Bridge Group configured with two vlans, on the firewall called inside and outside.

Since we have some first Context on the new ASA we have some short outages of all network traffic a few times a day. After searching through the firewall logs, I discovered at exactly that time an Event 412001 with the mac address of the SVI of the Catalyst. This always takes 30 seconds on the ASA. First the mac is moved from outside (where it should be) to inside and then after 30 seconds back to outside.

After I've found that, I also checked the FWSM logs and actually also found this error. The only difference was that the FWSM takes under 1 second to move the mac twice. Thus the users and systems doesn't register this issue.

I'm open for ideas now. I've tried now to set the mac-address-table timeout to 720 minutes on the ASA, just to see if that helps.

Some other information:

- the SVI on the Cat exist only for the outside (it's HSRP IP is the clients primary gateway)

- the SVI is in this example 1140

- the outside on the ASA is bound to vlan 1140, the inside to vlan 140

- vlan 1140 is only known to the Catalyst in the rest of the network

Here an output of the catalyst:

6509R-1250#sh mac add | inc 0000.0c07.ac00 !!!!!!!output filtered for only vlan 140 and 1140, Po100 is the connection to ASA

140 0000.0c07.ac00 dynamic Yes 5 Po100

* 1140 0000.0c07.ac00 static No - Router

Anybody any ideas?

I hope I didn't forget anything....

Thanks,

Patrick

patoberli · ‎05-31-2012

"Shameless" bump of my message.

I've checked the STP topology changes in the mean time. They are much more rare the the 412001 events.

patoberli · ‎07-24-2012

Still having the issue, TAC case now open. Might be hitting http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr38739&Submit=Search, but not sure yet. Received now release ASA 841-52, as a downgrade (from 8.4.3 to 8.4.2) did not fix it.

Also removing HSRP did not help (we run VSS now, which again shares the same MAC address on all it's SVIs).

It seems to happen more often if we have a lot of STP changes. We use PV-RSTP.

Will keep you updated.

Mohammad Alhyari · ‎07-24-2012

May be some captures on the ASA and see what packets are coming for that MAC address on the wrong interface ???

cheers.

Mohammad .

patoberli · ‎07-24-2012

Is there a way to make a capture based on mac address?

Because it happens only 0-4 times a day and has otherwise a lot of traffic.

bonnmiguel · ‎12-07-2015

I've seen your post which dated 4yrs back.. have you actually solved this problem whith Cisco?

Rgds

bonn

patoberli · ‎01-04-2016

Hi Bonn

No not really solved. The workaround we have implemented is to add the mac address, of the virtual interface on the catalyst, manually on the outside interface of each context on the firewall.

Patrick

Ramraj Sivagnanam Sivajanam · ‎07-28-2012

Hi Bro

Yes, there is a way to capture MAC Addresses in a Cisco FW.

Example

access-list TEST permit ip host 1.1.1.1 host 2.2.2.2

access-list TEST permit ip host 2.2.2.2 host 1.1.1.1

capture TEST access-list TEST in interface inside

show capture TEST detail

The keyword "detail" will display more information for each packet - like src dst mac address, ttl, ip id. For more information on this, please refer to this Cisco document https://supportforums.cisco.com/docs/DOC-17814

P/S: if you think this comment is helpful, please do rate them nicely :-)

Warm regards,
Ramraj Sivagnanam Sivajanam

patoberli · ‎08-06-2012

Ok, that is what I feared. I fear it's some kind of broadcast/multicast traffic that leads to this problem. But so far no solution other than the workaround.