Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
318
Views
1
Helpful
3
Replies

Cisco ASA failover MAC clarification

SHABEEB KUNHIPOCKER
Level 3
Level 3

‎01-13-2025 09:40 AM

Hello,

We have a customer who is running their perimeter firewalls in Active Passive failover. The firewalls in single context mode. I have the below queries regarding the Mac address that will be used by the primary unit.

 

1. What will be the MAC address binded with the primary IP?. Will the ASA generate a new virtual Mac that will be with the primary ip address or it will use the BIA of the primary unit?.

2. What will be MAC address binded with the secondary IP?.

3. What is the purpose of configuring failover MAC addresses manually?.

4. We are planning to migrate these ASAs to new FTD running in A/P failover. Since they don’t have failover mac configured manually on the ASAs now, we need to know whether there will be disruptions during the migration. The customer has some legacy systems and they are concerned about arp timeout on these systems. The customer does not want to clear the arp on the foreign devices. They want to have seamless migration. 

Thanks

Shabeeb

 

 

3 Replies 3

MHM Cisco World
VIP
VIP
In response to MHM Cisco World

‎02-17-2025 10:16 PM

Any update for this issue?

MHM

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni

‎02-17-2025 11:57 PM

Answer to Point 1 and 2.

We generally don't manually configure the MAC addresses in single context mode since the ASA will automatically assign virtual MAC addresses and manage their moving to the newly active unit in the event of a failover event.By default the burned-in MAC address of the Firewall designeated as primary in the failover pair corresponds to the active IP address of the given data interface, and the burned-in MAC address of the secondary unit corresponds to the standby address of the same interface. To maintain seamless switchovers in the even of failover, the units swap both the active MAC and IP addresses for each data interface. if you do not configure a standy IP address, no standby MAC address is maintained either. Because active MAC address changes may cause network connectivity disruption on adjacent devices.

The secondary active unit continues to use the primary unit's MAC addresses as active even when the primary is removed from the failover pair to avoid disruption. If you replace the primary with a different physical unit, the active MAC addresses change immediately after the new primary device rejoins the failover pair. This happens even if the secondary ASA retains the active role.

If the primary unit is not present when the secondary ASA boots up, the secondary peer starts using its own burned-in MAC addresses as active on all data interfaces. When the primary unit rejoins the failover pair, the active MAC addresses change immediately.

To minimize network disruptions during primary failover unit replacements, always configure virtual MAC addresses on all data interfaces with the mac-address command. Keep in mind that virtual IP addresses must remain unique within each Layer 2 broadcast domain, especially when sharing a physical interface between multiple contexts or connecting independent Firewall failover pairs to a shared network segment.

Answer Point 3

the standby MAC and IP address configuration on a pair of Firewall interfaces. The active unit programs the inside interface to use a MAC address of 0001.000A.0001 and an IP address of 192.168.1.1; the standby unit uses
0001.000A.0002 and 192.168.1.2, respectively. Even though the outside interface can use the same MAC address values, configure them differently for ease of management and troubleshooting. When you replace or upgrade either of the failover pair members, the interface MAC addresses remain the same and the adjacent network devices maintain uninterrupted traffic forwarding.

Interface G0/0
 mac-address 001.00A.0001 standby 0001.000A.0002
 nameif inside
 ip address 192.168.100.1 255.255.255.0 standby 192.168.100.2
!
Interface G0/1
 mac-address 001.00B.0001 standby 0001.000B.0002
 nameif outside
 ip address 8.8.8.8 255.255.255.0 standby 8.8.8.9
!

Even though the active IP and MAC addresses do not change after a failover event, the MAC address tables on the adjacent switches need to update with the new location of the active unit. To facilitate that, an ASA failover pair performs the following steps for each data interface during a switchover

If the interface operates in routed mode, the new active unit generates multiple gratuitous ARP packets using the active MAC and IP addresses. The standby unit generates similar gratuitous ARP messages using the standby addresses. Keep in mind that it is normal for ASA data interfaces to briefly transition through the down state during a switchover event. Each unit does it to flush the previous interface MAC and IP address programming and apply new active or standby addresses as appropriate.

Answer to Point 4

it depends how you do the firewall migration from ASA to FTD without having the manual failover mac addresses. If you do in very control environment you can minmise the impact. I think it would be good prior to change the customer/client have virtual mac addresses on firewall interfaces. And in the change windows you have these virtual mac addresses (same as the old virtual mac address matching the same interfaces of old firewall) configured on new FTD.

 

Reference from Cisco ASA: All-in-one Next-Generation Firewall, IPS, and VPN Services, 3rd Edition 

please do not forget to rate.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card