Solved: Re: Cisco ASA Active/Standby pair loses failover macs after cluster reboot

2044418Puts · ‎12-06-2019

Situation:

2x 5516-X running 9.8(4)12 in Active/Standby failover.

I've configured failover macs like this:

failover mac address GigabitEthernet1/1 0000.abcd.0001 0000.abcd.0002
failover mac address GigabitEthernet1/2 0000.abcd.0001 0000.abcd.0002

This is working fine. Active unit takes 0001 and Standby unit takes 0002, even during active / standby swap or reboot of ONE unit this works fine.

However as soon as both units reboot at the same time the following happens during boot:

Reading from flash...
!!!!!!!............ERROR: Failover mac address cannot be configured when failoveris disabled
*** Output from config line 587, "failover mac address Gig..."
ERROR: Failover mac address cannot be configured when failoveris disabled
*** Output from config line 588, "failover mac address Gig..."
....
Cryptochecksum (unchanged): c24f9b94 391e5d54 bb3ac0cb 61c133fb

INFO: Power-On Self-Test in process.
.......................................................................
INFO: Power-On Self-Test complete.

INFO: Starting HW-DRBG health test...
INFO: HW-DRBG health test passed.

INFO: Starting SW-DRBG health test...
INFO: SW-DRBG health test passed.
User enable_1 logged in to HOSTNAME
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
HOSTNAME> .

No Active mate detected
Beginning configuration replication: Sending to mate.
End Configuration Replication to mate

So the first unit boots and a few seconds later the second unit boots.

The first units checks the configuration and discovers that failover is not running and removes the failover macs from the configuration.

The failover process kicks in on the first unit.

Second unit is also done booting. First unit detects this and sends its configuration to mate, but without failover macs because they where removed from the configuration during boot of the first unit.

Now what? I'm not going to reconfigure the failover macs after each power outage.

Any idea's?

2044418Puts · ‎12-11-2019

Seems to be bug CSCvp99358

View solution in original post

Sheraz.Salim · ‎12-06-2019

seems that you failover is not configured properly as you show the logs when the box boots up

ERROR: Failover mac address cannot be configured when failoveris disabled

can you show us what is the failover configuration on your both ASAs.

and what you see when you give command show failover

you have to make sure you configurations are like this on each box.

ASA1

!

failover
failover lan unit prim
failover lan interface FAILOVER GigabitEthernetx/x
failover replication http
failover link LINK GigabitEthernety/y
failover interface ip FAILOVER x.x.x.x 255.255.255.248 standby x.x.x.x

failover interface ip LINK x.x.x.x x.x.x.x x.x.x.x

failover mac address GigabitEthernetx/x 0000.abcd.0001 0000.abcd.0002
failover mac address GigabitEthernetx/x 0000.abcd.0001 0000.abcd.0002

ASA2

!

failover
failover lan unit sec
failover lan interface FAILOVER GigabitEthernetx/x
failover replication http
failover link LINK GigabitEthernety/y
failover interface ip FAILOVER x.x.x.x 255.255.255.248 standby x.x.x.x

failover interface ip LINK x.x.x.x x.x.x.x x.x.x.x

failover mac address GigabitEthernetx/x 0000.abcd.0001 0000.abcd.0002
failover mac address GigabitEthernetx/x 0000.abcd.0001 0000.abcd.0002

please do not forget to rate.

2044418Puts · ‎12-08-2019

Thanks for your reply.

I will double check the configuration, but as far as I know the active standby failover works just fine, even after a full reboot of the cluster. I just want to have the mac's customised so I don't run into ARP issues with the provider.

If you'd ask me it's some kind of order of operations issue during boot, which only happens when there is no mate to copy the configuration from, so when both the primary and secondary unit are down.

Sheraz.Salim · ‎12-09-2019

In active/standby failover the active device use the primary unit MAC addresses. in the event of failover the secondary firewall become active and take over the primary mac address of the firewall. whereas the active box now standby take over the standby nit MAC addresses. after the standby box become active it send out a gratuitous ARP on the netowrk.
the gratuitous ARP is an ARP request that the firewall send out on the ethernet network with the source and destin IP addresses oth the active IP addressess. the destin MAC address is the ethernet broadcaset address fff.fff.fff. all device on the ethernet segment process this broadcaset frame and upgarde their ARP table with this information. Using gratutious ARP the layer2 device the switches also update the content addressable memory CAM table with the MAC address and the updated switch port information.
when the secoudany asa boots up before the primary ASA it uses its physical mac addresses as active layer 2 addresses.when the primary appliance boots up the secondary swaps the mac addresses and uses the primary appliances physical mac address as active. therefore the use of virtual mac address is recommend to avoid network disruptions.

please do not forget to rate.

2044418Puts · ‎12-11-2019

Seems to be bug CSCvp99358