Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2320
Views
0
Helpful
2
Replies

recommended port-security settings for ASA HA failover

rsjordan00
Level 1
Level 1

‎12-29-2011 07:25 AM - edited ‎03-11-2019 03:08 PM

I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:

interface GigabitEthernet0/8

description ASA-Primary-Out

switchport access vlan 200

switchport mode access

switchport port-security maximum 2

switchport port-security

switchport port-security aging time 2

switchport port-security violation restrict

switchport port-security aging type inactivity

ip arp inspection limit rate 500

no cdp enable

spanning-tree portfast

spanning-tree bpduguard enable

Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:

%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?

I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎01-06-2012 10:48 AM

Hello,

This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).

Per the port-security config guide:

http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_25_fx/configuration/guide/swtrafc.html#wp1090391

"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."

Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.

-Mike

0 Helpful

bcoverstone
Level 1
Level 1

‎10-16-2018 06:21 PM

For anyone else coming across this while googling,

 

even if you configure it with ample maximum MAC addresses, it still will not work.  The reason is, when you enable port-security, static addresses are used instead of dynamic addresses.  This then causes an issue because the MAC addresses change positions, but the CAM table will still show two entries and somehow the packets will not make it to the appropriate port.

 

When I issued the command "no switchport port-security", the ASA failover then worked properly, and I would only see one dynamic MAC address on each port instead of two.

 

I feel this might be a bug in some Cisco switches, as I feel that it should be fine to have two static MAC addresses on two separate ports, and it would just transmit to both of them.  But that doesn't seem to be the case.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card