12-29-2011 07:25 AM - edited 03-11-2019 03:08 PM
I have a pair of ASA 5510s configured in active/standby mode. I have already configured the failover settings on the firewalls. Both firewalls are connected to a 2960G. I made a change to the interfaces on the 2960 to allow 2 mac addresses on each port. Here is the switch port config:
interface GigabitEthernet0/8
description ASA-Primary-Out
switchport access vlan 200
switchport mode access
switchport port-security maximum 2
switchport port-security
switchport port-security aging time 2
switchport port-security violation restrict
switchport port-security aging type inactivity
ip arp inspection limit rate 500
no cdp enable
spanning-tree portfast
spanning-tree bpduguard enable
Upon testing failover via the failover active command, I get port-security errors on the outside interface for each device:
%PORT_SECURITY-2-PSECURE_VIOLATION: Security violation occurred, caused by MAC address aaaa.bbbb.cccc on port GigabitEthernet0/8. After a few minutes, the error goes away and I can then connect to each firewall. It seems that it still waits for the aging time to expire before allowing the other MAC address. Shouldn't the "maximum 2" setting allow for both mac addresses?
I'd rather not have to hardcode the firewall's MAC addresses on each switchport because I could see this causing problems for us down the road. Is there anything else that can be done?
01-06-2012 10:48 AM
Hello,
This is expected because of the way ASA failover works. When a failover event occurs, the 2 units will swap their IP and MAC addresses (i.e. the Active unit is always using the same IP and MAC, but this role changes between the 2 physical units).
Per the port-security config guide:
"...if a station with a secure MAC address configured or learned on one secure port attempts to access another secure port, a violation is flagged."
Since the MAC address moves to the other switchport when the failover happens, a violation is being logged.
-Mike
10-16-2018 06:21 PM
For anyone else coming across this while googling,
even if you configure it with ample maximum MAC addresses, it still will not work. The reason is, when you enable port-security, static addresses are used instead of dynamic addresses. This then causes an issue because the MAC addresses change positions, but the CAM table will still show two entries and somehow the packets will not make it to the appropriate port.
When I issued the command "no switchport port-security", the ASA failover then worked properly, and I would only see one dynamic MAC address on each port instead of two.
I feel this might be a bug in some Cisco switches, as I feel that it should be fine to have two static MAC addresses on two separate ports, and it would just transmit to both of them. But that doesn't seem to be the case.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide