08-20-2010 08:05 AM - edited 03-11-2019 11:28 AM
Will it cause issues if the burned in mac addresses are used as the virtual mac addresses when configuring failover on an ASA? Or will the cause issues in the case where the secondary comes up first and assumes the active state using the mac addresses off the primary? Some delay in applying the virtual mac addresses or something on the primary?
Or is it a better idea to define your own random mac addresses and use those instead as the virtual mac addresses?
Solved! Go to Solution.
03-08-2016 09:49 AM
You can't do it, the ASA rejects this and gives an error:
DC-FW/unit1/master(config)# int po 23
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cb7
ERROR: active address equals to burn-in address
DC-FW/unit1/master(config-if)# int po 24
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cbd
ERROR: active address equals to burn-in address
08-20-2010 08:14 AM
what exactly do you mean by virtual mac address
when in failover the mac-address of primary is used when primary comes up first and when secondary becomes active it gets this mac address
when in failover pair secondary comes up first since the failover cluster does not detect a primary it will use the mac of secondary to pass traffic
hope this is what you need
you can read more her
https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1091288
08-20-2010 08:25 AM
When the secondary comes up first and the primary is not available it will use its own mac address and not that of the primary. When the primary comes up the mac address will be updated to be that of the primary causing a short interruption. The recommendation is to configure a virtual mac address (https://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1073913) so that this does not happen.
Instead of inventing a set of mac addresses to use (and hoping that at some point there won't be duplication, etc) if it would cause issues to just use the actual physical mac addresses and configure those as the virtual mac addresses.
08-20-2010 08:36 AM
Hey Ben,
I would think this will not cause problems. Since the virtual MACs will take precedence over the actual MAC addresses, even if we have the actual MAC addresses aas the virtual MACs, there shouldn't be a problem. But i must tell you that I have not really tried this before and also, the probabilities of duplication if you use invented virtual MAC addresses are really low
Thanks,
Prapanch
08-20-2010 08:48 AM
I couldn't think of any reason why it wouldn't work, just wondered if anyone had tried it and ran into something goofy.
Thanks
08-20-2010 08:50 AM
I think i will leave it for someone who has tried this to answer it if there can be any glitches. But my thought too is that it should work just fine. If you manage to try it out, let us know how it goes.
Thanks and Regards,
Prapanch
09-21-2012 12:57 PM
I would like to do the same and set the virtual MAC address as the real MAC address of the current active unit. My reason is the ISP is very unresponsive (>4 hours) to clear their arp table which makes it difficult to plan sme future upgrades.
Has anyone set the virtual to be the same as the real MAC address?
03-08-2016 09:49 AM
You can't do it, the ASA rejects this and gives an error:
DC-FW/unit1/master(config)# int po 23
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cb7
ERROR: active address equals to burn-in address
DC-FW/unit1/master(config-if)# int po 24
DC-FW/unit1/master(config-if)# mac-address 8d64.2406.1cbd
ERROR: active address equals to burn-in address
06-06-2017 02:15 PM
Wanted to clarify this answer - the syntax for defining the failover mac addresses is 'failover mac address <interface> <active mac> <standby mac>'
And yes you can use the interface physical MAC addresses when using the failover syntax.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide