05-21-2015 12:02 PM - edited 03-05-2019 01:31 AM
Hi, Two ASA firewalls work as failover. We suppose the primary ASA1 inside interface ip address is 192.168.1.1/24. From Catalyst 6509, we can see the ip address 192.168.1.1 and its mac address(both are from the ASA1) through show ip arp in the 6509. But when we show cdp neighbor in the 6509, we cannot see the ASA firewall. In the ASA1, we can see the 6509' ip address(vlan) and mac by show arp. Showing mac-address table in 6509 can not indicate the its relative port. So we do not know which port in the 6509 is connect to the ASA1. My question is how we can know which port in 6509 connect to the ASA1 ? Thank you
05-21-2015 01:33 PM
The ASA doesn't support CDP, so you can't use it to find neighbors.
But you should see the MAC address (which is seen in "show interface" on the ASA) on the switch.
As a last option, you could failover to the secondary ASA, log on to the other ASA (which is now the secondary) and shut the interface. On the c6k you'll see the port go down.
05-21-2015 02:24 PM
Thanks for your reply. Yes we can see mac of ASA and the switch by command show arp, but show mac-address-table in the switch do not show relative port. That is why we do not know which switch port are connect to The ASA.
Shunting down interface of ASA is not acceptable because it is in production environment
I think each of failover asa(primary and secondary) must have two cable connected to each of two 6509. So each of 6509 also has two cable connected to two ASA, respectively
05-21-2015 02:44 PM
I assume that you did something wrong. The MAC should show up in the switch:
ASA5520/pri/act# sh interface inside | i MAC
    MAC address 0000.0c00.1111, MTU 1500
Core-SW#sh mac address-table address 0000.0c00.1111
          Mac Address Table
-------------------------------------------
Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
 101    0000.0c00.1111    DYNAMIC     Gi1/0/1
Total Mac Addresses for this criterion: 1
Core-Sw#
For shutting down the ASA-interface:
You can shutdown the interface on the standby ASA without disrupting you communication as the standby ASA doesn't forward any traffic. And the "shut" command doesn't get replicated from the standby to the activa ASA.
05-21-2015 08:05 PM
You are right with "shut" and mac-address-table.
If shut, the boss would know that and he will... though it does not hurt. With mac-address-table, if the SW get mac address from vlan, it does not show that ports, right ?
 
					
				
				
			
		
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide