Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1764
Views
15
Helpful
7
Replies

FMC High Availibility MAC address configuration

Go to solution
clnjj
Level 1
Level 1

‎01-18-2023 04:44 AM

When configuring the Interface MAC address in the the high availability tab on the FMC are these virtual MAC addresses that are created by me or, are these the real MAC addresses of the primary and standby interfaces? Would I use the MAC addresses shown after running the show interface command and input those for primary and secondary for each interface?

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clnjj

‎01-18-2023 09:02 AM

When failover happens gracefully, the formerly Standby (now Active) unit normally sends a gratuitous ARP to announce that it has the Active IP address.So it's not usually an issue (except in cases like you encountered).

When if MAC addresses have been manually defined as locally administered addresses, the Active and Standby scheme still applies. However in that case, the Active unit will always have the same MAC address - whether either the Primary or Secondary member of the HA pair is Active.

View solution in original post

7 Replies 7

Go to solution
clnjj
Level 1
Level 1

‎01-18-2023 04:58 AM

thank you for the quick response, much appreciated. i have previously referenced the same configuration guide. So to clarify per the documentation the MAC address entered to configure the MAC for HA is that of the interface ->

Configure Virtual MAC addresses

You can configure active and standby MAC addresses for fail-over in two places on the Firepower Management Center:

  • The Advanced tab of the Edit Interface page during interface configuration; see Configure the MAC Address.

  • The Add Interface MAC Address page accessed from the High Availability page; see

If active and standby MAC addresses are configured in both locations, the addresses defined during interface configuration takes preference for failover.

You can minimize loss of traffic during failover by designating active and standby mac addresses to the physical interface. This feature offers redundancy against IP address mapping for failover.

Procedure

Step 1

Choose Devices > Device Management.

Step 2

Next to the device high-availability pair you want to edit, click Edit (

clnjj_0-1674046655660.gif

 

).

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Choose High Availability.

Step 4

Choose Add (


 

)next to Interface Mac Addresses.

Step 5

Choose a Physical Interface.

Step 6

Type an Active Interface Mac Address.

Step 7

Type a Standby Interface Mac Address.

Step 8

Click OK.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-18-2023 06:29 AM

Adding to what has already been discussed, manually configured MAC addresses are strictly optional.

I've worked on hundreds of ASA and FTD HA pairs and never once have I seen the feature used in a production network.

0 Helpful

Go to solution
clnjj
Level 1
Level 1
In response to Marvin Rhoads

‎01-18-2023 07:08 AM

Thank you for your reply Marvin. I had an SSD failure. After I replaced the faulty SSD we had a service interruption until we cleared the ARP table on the router. So i am configuring the virtual MAC addresses to avoid this in the future. Might you know if the value entered into the interface MAC addressees portion of the high availability configuration is the actual interface MC address?

Capture.PNG

Go to solution
MHM Cisco World
VIP
VIP
In response to clnjj

‎01-18-2023 09:00 AM - edited ‎01-18-2023 09:02 AM

from guide I share before state 

Configure Virtual MAC addresses

You can configure active and standby MAC addresses for failover in two places on the Firepower Management Center:

  • The Advanced tab of the Edit Interface page during interface configuration; see Configure the MAC Address.

  • The Add Interface MAC Address page accessed from the High Availability page; see

    check below steps 


Step 1

Choose Devices > Device Management.

Step 2

Next to the device high-availability pair you want to edit, click Edit (

 

 

).

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Choose High Availability.

Step 4

Choose Add (

 

 

)next to Interface Mac Addresses.

Step 5

Choose a Physical Interface.

Step 6

Type an Active Interface Mac Address.

Step 7

Type a Standby Interface Mac Address.

Step 8

Click OK.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to clnjj

‎01-18-2023 09:02 AM

When failover happens gracefully, the formerly Standby (now Active) unit normally sends a gratuitous ARP to announce that it has the Active IP address.So it's not usually an issue (except in cases like you encountered).

When if MAC addresses have been manually defined as locally administered addresses, the Active and Standby scheme still applies. However in that case, the Active unit will always have the same MAC address - whether either the Primary or Secondary member of the HA pair is Active.

Go to solution
MHM Cisco World
VIP
VIP
In response to Marvin Rhoads

‎01-18-2023 09:06 AM

You are totally right but if somehow the SW still point to previous failed FW even so the new Active FW send G-ARP the traffic will drop. 
the workaround is config different virtual MAC for active and standby FW interface. 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents