Solved: ASA HA pair broadcasting duplicate MAC

pbarendse · ‎05-10-2016

We are using 2 ASA 5512 firewalls as HA pair. Both are uplinked to a switch owned and configured by the ISP in a datacenter. Some time ago one of the uplink ports went to err-disabled on the switch. The messages show that a duplicate MAC address is seen. Further investigation shows that the MAC address concerned is the MAC of the outside interface for the standby ASA. This MAC is sent both by itself as by the primary ASA.

Can this have something to do with the fact that proxy ARP is enabled on the outside?

Henrik Grankvist · ‎05-10-2016

Hi

What MAC address does the primary and the secondary firewall have?

View solution in original post

Henrik Grankvist · ‎05-10-2016

Hi

What MAC address does the primary and the secondary firewall have?

pbarendse · ‎05-19-2016

MAC address outside interface primary ASA: bc16.65b4.93c3
MAC address outside interface secondary ASA: 78da.6e99.384d

jan.nielsen · ‎05-10-2016

With an ASA in Active/Standby mode the ip and the interface mac address moves from one ASA to another when a failover event occurs, this could be what you are seeing. The ISP should probably disable whatever protections they have in place in that vlan, as this is common ASA behaviour.

pbarendse · ‎05-11-2016

Hello Jan,

I know about the behaviour you are mentioning. That is actually not what is happening. The primary, active firewall is also broadcasting the MAC address of the secondary, passive firewall. Disabling the protection on the switch has been discussed with the provider but they are not allowing that unfortunately...