Problem after ASA replacement

Eric Washington · ‎05-21-2014

We have an HA pair using 5510s version 8.4(5). The secondary unit is currently active because the primary has an issue. When we replaced the primary (we didn't failover yet) users reported issues with several services including webmail. The time people began reporting issues correlates to when our logs show the mgmt0/0 HW interface changed state to up.

We could see tcp connections building, but getting resets on the teardown. We powered down the new ASA, but the problem remained. During our troubleshooting everything just started working again without us making any changes. We thought it could be an ISP issue, but other services going out of the connection were working just fine. We are perplexed about what happened.

Any ideas as to what the root cause would be? Thanks in advance!

Juan Ponce Dominguez · ‎05-27-2014

Hey,

It seems to be something with the MAC address of the new Primary being injected and the ARP table repopulation.

I believe this happened:

1. You had the previous Primary/Active and Secondary/standby scenario.

2. The Secondary/Standby becomes Secondary/Active because Primary fails, then the Secondary is using the Primary´s MAC addresses.

2. You replaced the Primary with another ASA, then when establishing the Failover the Secondary/Active retakes the new MAC addresses from the new Primary/Standby.

3. During your troubleshooting, the neighoring devices were sending the traffic to the incorrect and old MAC address instead of the new one. It started to work again because they ARP request again.

To overcome these kind of situations, I recommend using manually configured mac addresses.

Makes sense?

JJ