Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
678
Views
1
Helpful
1
Replies

Tip: Beware this doesn't happen to you with HA ASAs...

jmaxwellUSAF
VIP
VIP

‎08-11-2023 08:44 AM - edited ‎08-11-2023 09:17 AM

Hello.

I was reviewing a post-mortem of a situation that literally brought down the enterprise for 5 hours. We lost much money. Everyone should be aware of this hazard, and configure virtual mac-addresses in their HA ASAs. I think it would be best if Cisco automatically installs virtual MAC addresses as a default with HA configs.

What caused this at the very beginning was my lack of understanding that, just because I can interact with a freshly rebooted ASA, this does not mean it is in a fully healthy, online state. I needed to check the completeness of "show failover history".

Because I failed-over the device after merely 20 seconds, below occurred. During the event I did not know what had happened or how to remediate.

Be well folks.

---

(For exact reference of this topic, read book "Cisco ASA' 3rd edition, p 661)

Active/Standby IP Addresses and MAC Addresses
For Active/StandbyFailover,see the following for IPaddress and MAC address usage during a failover event:
1. The active unit always uses the primary unit's IP addresses and MAC addresses.
2. When the active unit fails over, the standby unit assumes the IP addresses and MAC addresses of the failed unit and begins passing traffic.
3. When the failed unit comes back online, it is now in a standby state and takes over the standby IPaddresses and MAC addresses.

MAC Addresses and IP Addresses in Failover
However, if the secondary unit boots without detecting the primary unit, then the secondary unit becomes the active unit and uses its own MAC addresses, because it does not know the primary unit MAC addresses. When the primary unit becomes available, the secondary (active) unit changes the MAC addresses to those of the primary unit, which can cause an interruption in your network traffic. Similarly, if you swap out the primary unit with new hardware, a new MAC address is used.

Virtual MAC addresses guard against this disruption, because the active MAC addresses are known to the secondary unit at startup, and remain the same in the case of new primary unit hardware. If you do not configure virtual MAC addresses, you might need to clear the ARP tables on connected routers to restore traffic flow. The ASA does not send gratuitous ARPs for static NAT addresses when the MAC address changes, so connected routers do not learn of the MAC address change for these addresses.

CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.17 - Failover for High Availability [Cisco Secure Firewall ASA] - Cisco

Labels:
1 Reply 1

ccieexpert
Spotlight
Spotlight

‎06-08-2024 04:41 PM

you are right.. but what you explain is a very rare scenario where the primary is not active when the secondary is booting up...

0 Helpful
Customers Also Viewed These Support Documents