cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2652
Views
0
Helpful
3
Replies

ASA Failover pair causing MAC flapping on switch stack

Chris Bomba
Level 4
Level 4

Not sure if this should be posted here or in the ASA forums.  I have an Active/Standby pair of ASA 5515x connected to a 2960S stack.  Connections look like so:

 


    ASA 1------Failover interface------ASA2
      |                                                     |
      |                                                     |
      |                                                     |
      |                                                     |
2960S Gig1/0/1 -------Stack-------2960S Gig2/0/1

 

 

I get the following error on the switches:


Aug 17 10:08:07 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:08:50 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:10:02 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:11:32 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:12:13 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:18:52 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1
Aug 17 10:19:41 EDT: %SW_MATM-4-MACFLAP_NOTIF: Host a80c.0dc1.1130 in vlan 3 is flapping between port Gi1/0/1 and port Gi2/0/1

 

The MAC in question is the interface that is active on the ASA. I wouldn't think I should see the MAC on both interfaces on the switch because only one ASA is active. 

3 Replies 3

Is your Failover-system stable or is the active role chainging between primary and standby unit? Please post the output from "sh failover | i Last | time:" and look for failover-events in the firewall-logs.

Seems pretty stable.  That time was when we stacked the switches.  Also sent the rest of the show failover 

 

Last Failover at: 09:44:40 EDT Jun 14 2014
                Active time: 5534681 (sec)
                Active time: 9033 (sec)

 

 

# show failover
Failover On 
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/5 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 114 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 09:44:40 EDT Jun 14 2014
        This host: Secondary - Active 
                Active time: 5534662 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Up Sys)
                  Interface Internal (192.168.20.254): Normal (Waiting)
                  Interface DMZ (172.16.120.1): Normal (Waiting)
                  Interface External (xx.xx.xx.194): Normal (Waiting)
                  Interface VMmanagement (10.110.10.1): Normal (Waiting)
                  Interface management (0.0.0.0): Link Down (Not-Monitored)
                slot 1: IPS5515 hw/sw rev (N/A/7.1(8p1)E4) status (Up/Up)
                  IPS, 7.1(8p1)E4, Up
        Other host: Primary - Failed 
                Active time: 9033 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.1(2)) status (Unknown/Unknown)
                  Interface Internal (192.168.20.252): Unknown (Monitored)
                  Interface DMZ (172.16.120.2): Unknown (Monitored)
                  Interface External (xx.xx.xx.195): Unknown (Monitored)
                  Interface VMmanagement (10.110.10.2): Unknown (Monitored)
                  Interface management (0.0.0.0): Unknown (Not-Monitored)
                slot 1: IPS5515 hw/sw rev (N/A/7.1(8p1)E4) status (Unknown/Unknown)
                  IPS, 7.1(8p1)E4, Unknown

Failover LAN Interface: failover GigabitEthernet0/5 (Failed - No Switchover)
        Other host: Primary - Failed 

Doesn't look *that* stable ... ;-) Please control the failover-link.

Review Cisco Networking for a $25 gift card