Sankar, thank you very much for your response. Below are the answers to your questions:

1. Can you ping the standby IP from the Secondary (now active) unit?

No

2. Do you see an arp entry on the Secondary unit for that IP address mapped to the standby MAC?

Yes. On the secondary unit (which is Active now), the arp table shows the secondary IP maaped to the secondary MAC

3. Are you able to ping the active IP from the core switch?

yes

4. Are you able to ping the standby IP from the core swtich?

No

5. Does the core switch have arp entries for both these IPs? - sh arp

Yes.

The primary IP is mapped to the MAC of the primary unit (which is secondary now) and the seconday IP is mapped to the secondary MC(which is Active nonw).

6. Does the core swtich have these mac-address listed in the cam table? - sh mac-address-table vlan

Yes.

Like your nick ccie_candidate!

Aren't we all ccie_candidates???  ;-)

Federico.

Yeah good candidate!

Anyway, don't get confused with primary, secondary and active and standby.

5. Does the core switch have arp entries for both these IPs? - sh arp

Yes.

It showed both of them? Active IP had the active MAC associated and the standby IP had the standby IP associated with standby MAC ??

The  primary IP is mapped to the MAC of the primary unit (which is secondary  now) and the seconday IP is mapped to the secondary MC(which is Active  nonw).

6. Does the core swtich have these mac-address listed in the cam table? - sh mac-address-table vlan

Yes. It showed both of them? Did it learn them from the correct port? If so next step to capture on the standby unit (Primary) to see if these icmp packets from the swtich are arriving or not.

cap capin int inside match icmp host swich_ip host standby_ip

-KS

Sankar:

I did the capture and the ICMP packet are not hitting the firewall (secondary IP on Primary Unit which is standby now).

However, I can ping the switch from the secondary IP but cannot ping the secondary IP from the switch.

Thanks alot.

Primary and Secondary - have config lines on them to indicate that they are pri or sec. That never does change. Although, the roles that they take changes.

Pri can be active or standby

sec can be active or standby

I got confused with these terms myself when I first started.

You are saying the (pri) standby IP can ping the switch but, not the other way around. When you ping from the switch the packets are not coming to this firewall.  Well, then it is not the firewall's fault then if the packets don't arrive.

How about debug ip icmp or debug icmp trace on the switch and on the Pri/standby unit.

Is the switch sending it to the correct mac address? Verify that on the Pri/standby with a "sh interface" and make sure the mac matches.

Also, issue "sh asp table routing | in identity" and make sure the inside standby IP shows here.

-KS

Sankar:

Ok. let give you the whole setup now.

******************************************************************************************************************************************

Primary firewall: sh ver

Ethernet0/1         : address is 0013.c480.1111

sh arp

Inside 192.168.1.1 0013.c480.111

sh failover

This host: Primary - Standby Ready
                Active time: 0 (sec)
                Interface Inside (192.168.1.2): Normal

sh int

Interface Ethernet0/1 "Inside", is up, line protocol is up
   BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        MAC address 0013.c480.222
        IP address 192.168.1.2

Secondary Firewall

Ethernet0/1         : address is 0013.c480.222

sh arp

Inside 192.168.1.2 0013.c480.222

sh failover

This host: Seondary- Active

                Interface Inside (192.168.1.1): Normal

sh int

Interface Ethernet0/1 "Inside", is up, line protocol is up
   BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        MAC address 0013.c480.111
        IP address 192.168.1.1

Core Switch

sh arp

192.168.1.2           28   0013.c480.222

192.168.1.1           28   0013.c480.111

ping 192.168.1.1

.!!!!
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/4 ms

ping 192.168.1.2

.....
Success rate is 0 percent (0/5)

***********************************************************************************************
so to me, everything switched over fine. Dont' you think so? So, I am still at lost why I can't get to the secondary IP?

Hmm..You didn't provide "sh mac-address-table vlan " output from the switch.

I'd also like to see "sh mac-address-table int " for the interface where this Primary ASA's e01/ is plugged in.  Did that port show it learned the standby mac 0013.c480.222? It should becuase it sent ICMP request to the switch and the switch should have learned the mac.

Also have you tried debug icmp on the switch and on the asa? Did they show anything interesting?

-KS

Here they are

0013.c480.222   dynamic  Yes          5   Gi1/1 (port connected to Primary)

0013.c480.111   dynamic  Yes          0   Gi2/1 (port connected to secondary)

sh mac-address-table int Gi1/1
Legend: * - primary entry
        age - seconds since last seen
        n/a - not available

  vlan   mac address     type    learn     age              ports
------+----------------+--------+-----+----------+--------------------------
  0009.0fc4.555   dynamic  Yes          0   Gi1/1
  0013.c480.222   dynamic  Yes          5   Gi1/1

So, yes, it has learnt the stndby mac address. I can't figure out who has the other mac address it the switch is learning from port 1/1

Update:

I failed back to Primary and was able to ping the stndby IP but couldn't ping the primary IP and lost internet connectivity.

So, there is something going on between the primary firewall and the core switch.

sh arp | i   0009.0fc4.555

I'd move the primary's inside interface to another port on the switch.

It would be good to span the port g1/1 on the switch to see what traffic it is seeing and what is being sent up to the Pri/standby MAC.

-KS