cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
719
Views
0
Helpful
4
Replies

ASA HA pair broadcasting duplicate MAC

pbarendse
Level 1
Level 1

We are using 2 ASA 5512 firewalls as HA pair. Both are uplinked to a switch owned and configured by the ISP in a datacenter. Some time ago one of the uplink ports went to err-disabled on the switch. The messages show that a duplicate MAC address is seen. Further investigation shows that the MAC address concerned is the MAC of the outside interface for the standby ASA. This MAC is sent both by itself as by the primary ASA.

Can this have something to do with the fact that proxy ARP is enabled on the outside?

1 Accepted Solution

Accepted Solutions

Hi

What MAC address does the primary and the secondary firewall have?

View solution in original post

4 Replies 4

Hi

What MAC address does the primary and the secondary firewall have?

MAC address outside interface primary ASA: bc16.65b4.93c3
MAC address outside interface secondary ASA: 78da.6e99.384d

jan.nielsen
Level 7
Level 7

With an ASA in Active/Standby mode the ip and the interface mac address moves from one ASA to another when a failover event occurs, this could be what you are seeing. The ISP should probably disable whatever protections they have in place in that vlan, as this is common ASA behaviour.

Hello Jan,

I know about the behaviour you are mentioning. That is actually not what is happening. The primary, active firewall is also broadcasting the MAC address of the secondary, passive firewall. Disabling the protection on the switch has been discussed with the provider but they are not allowing that unfortunately...

Review Cisco Networking for a $25 gift card