05-10-2016 05:44 AM - edited 03-12-2019 12:44 AM
We are using 2 ASA 5512 firewalls as HA pair. Both are uplinked to a switch owned and configured by the ISP in a datacenter. Some time ago one of the uplink ports went to err-disabled on the switch. The messages show that a duplicate MAC address is seen. Further investigation shows that the MAC address concerned is the MAC of the outside interface for the standby ASA. This MAC is sent both by itself as by the primary ASA.
Can this have something to do with the fact that proxy ARP is enabled on the outside?
Solved! Go to Solution.
05-10-2016 10:57 AM
Hi
What MAC address does the primary and the secondary firewall have?
05-10-2016 10:57 AM
Hi
What MAC address does the primary and the secondary firewall have?
05-19-2016 04:11 AM
MAC address outside interface primary ASA: bc16.65b4.93c3
MAC address outside interface secondary ASA: 78da.6e99.384d
05-10-2016 11:23 AM
With an ASA in Active/Standby mode the ip and the interface mac address moves from one ASA to another when a failover event occurs, this could be what you are seeing. The ISP should probably disable whatever protections they have in place in that vlan, as this is common ASA behaviour.
05-11-2016 12:53 AM
Hello Jan,
I know about the behaviour you are mentioning. That is actually not what is happening. The primary, active firewall is also broadcasting the MAC address of the secondary, passive firewall. Disabling the protection on the switch has been discussed with the provider but they are not allowing that unfortunately...
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide