Thanks Ramakrishna. Everything that you've mentioned is in place -both contexts are using unique mac - MAC-auto is enabled - shutthing down the interface in redun group - i have not tried that. will give it a go.
From: Ramakrishna Shenai <[email protected]> To: [email protected] Subject: Re: [OSL | CCIE_Security] CCIE_Security Digest, Vol 57, Issue 24 ASA 5510 - active/active arp issue Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" If you are running in Active/Active mode and having a shared interface, thumb rule is to enable mac-address auto in the system context. Alternatively you will have to assign manual distinct mac address in the individual contexts to the redundant interface. This will ensure the ASA classifier rules are satisfied. If either of the above is not done, by default the redundant interface uses the physical mac address of the first member interface (note: not the active member interface) if I remember right. So when you shut down one ASA both the contexts become active on the alive ASA. Since the definition of the redundant interface is the same in both contexts and now on the same device, the physical mac address of the first member interfaces comes back in the ARP response. Hence the behavior you are seeing on R2. Also a good practice when using Active / Active mode is to setup failover groups X, Y and make one primary and other secondary with the pre-empt feature enabled. What this does is allows you redundancy as well load balancing. Once the other device comes up switchover for loadbalancing automatically happens. On Mon, Mar 7, 2011 at 10:10 AM, Serious CCIE <[email protected]> wrote: > Thanks King, Yes both c1 & c2 share the same redundant interface. > You're correct to say, issue is in ASA - it's not handling the extreme > situation! > > > On Mon, Mar 7, 2011 at 3:04 AM, Kingsley Charles < > [email protected]> wrote: > >> I don't think the problem is on router rather it's on the ASA. Does C1 and >> C2 share the redundant interface? >> >> With regards >> Kings >> >> On Sun, Mar 6, 2011 at 7:50 PM, Serious CCIE <[email protected]>wrote: >> >>> R1---inside----2xASA ---outside---R2--------R3 >>> >>> Background: >>> 1. I have 2 x asa configured in A/A multi-context mode. >>> 2. C1 is active on asa1 and C2 is active on ASA2. >>> 3. The redundant/outside interface has 2 physical ports (e0/0 and e0/1) >>> 4. e0/0 is active in ASA1 and e0/1 in ASA2 >>> >>> Everything works as usual when both firewall in the above asci diagram >>> are turned "ON". >>> >>> To save some power, I have shutdown 1xASA2. Only ASA1 is in the picture >>> when issue occurs. >>> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
