ASA Failover pair causing MAC flapping on switch stack

Chris Bomba · ‎08-17-2014

Not sure if this should be posted here or in the ASA forums. I have an Active/Standby pair of ASA 5515x connected to a 2960S stack. Connections look like so:

   ASA 1------Failover interface------ASA2
   | |
   | |
   | |
   | |
2960S Gig1/0/1 -------Stack-------2960S Gig2/0/1

I get the following error on the switches:

Aug 17 10:08:07 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:08:50 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:10:02 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:11:32 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:12:13 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:18:52 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:19:41 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1

The MAC in question is the interface that is active on the ASA. I wouldn't think I should see the MAC on both interfaces on the switch because only one ASA is active.

Karsten Iwen · ‎08-17-2014

Is your Failover-system stable or is the active role chainging between primary and standby unit? Please post the output from "sh failover | i Last | time:" and look for failover-events in the firewall-logs.

Chris Bomba · ‎08-17-2014

Seems pretty stable. That time was when we stacked the switches. Also sent the rest of the show failover

Last Failover at: 09:44:40 EDT Jun 14 2014
Active time: 5534681 (sec)
Active time: 9033 (sec)

# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/5 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 09:44:40 EDT Jun 14 2014
This host: Secondary - Active
Active time: 5534662 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Up Sys)
Interface Internal (192.168.20.254): Normal (Waiting)
Interface DMZ (172.16.120.1): Normal (Waiting)
Interface External (xx.xx.xx.194): Normal (Waiting)
Interface VMmanagement (10.110.10.1): Normal (Waiting)
Interface management (0.0.0.0): Link Down (Not-Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(8p1)E4) status (Up/Up)
IPS, 7.1(8p1)E4, Up
Other host: Primary - Failed
Active time: 9033 (sec)
slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Unknown/Unknown)
Interface Internal (192.168.20.252): Unknown (Monitored)
Interface DMZ (172.16.120.2): Unknown (Monitored)
Interface External (xx.xx.xx.195): Unknown (Monitored)
Interface VMmanagement (10.110.10.2): Unknown (Monitored)
Interface management (0.0.0.0): Unknown (Not-Monitored)
slot 1: IPS5515 hw/sw rev (N/A/7.1(8p1)E4) status (Unknown/Unknown)
IPS, 7.1(8p1)E4, Unknown

Karsten Iwen · ‎08-17-2014

> Failover LAN Interface: failover GigabitEthernet0/5 (Failed - No Switchover)
> Other host: Primary - Failed

Doesn't look *that* stable ... ;-) Please control the failover-link.