Hi David, Fabien & all who replies ,
First I would like to say thank you so much for helping me on this issue. I would like to clear few things. Customer is using /30 IP on Active Firewall and Standby configured as no IP on its outside interface. Whenever fail-over occurs, the issue is having Customer is getting duplicate IP address message and fail-over is not working with us only. Because our Core switch has already mac address of Active ASA with that IP. When fail-over occurs standby using same IP but different mac. So Arp entry on core switch with that IP is not clearing unless someone has to drop the connection between ISP & customer or someone clear the arp entry manually on our(ISP) end. We are providing this customer radio link, so every time customer has to reboot the radio to make it fail-over work on his side. “ one important thing, Customer is saying his both firewall is working fine as Active/Standby with other provider Comcast. Fail-over is working perfectly with no issues with Comcast”. Why he is having issue with us. Why our core switch is not getting that GARP’s to update CAM table as an adjacent although Comcast is working fine. Customer refused to use /29 IP block. Customer refused to use Router. As per customer, they are not using HSRP/VRRP, they are using Active/Standby ASA firewalls. Do you guys think, in this scenario the only solution is to customer should use Virtual Mac address on his firewalls. If yes then how to use the Virtual mac address for Active/Standby ASA with single IP on active ASA, no IP on standby ASA. I have read the below one comment in one thread: Dear Rajesh, You are right that *gratuitous ARP injected by ASA to other connected Device. But the best solution to implement failover is to use a virtual mac address, if you will use the Virtual mac address for failover then the ARP entries will not get changed and there will be no timeout anywhere on the network. If you are not using the virtual mac address then if failover occurs in that case the arp entries will be changed and when the new device takes over the active state then it will send the gratituous arp* *Regards,* *Aakil* Thanks & Regards, Ahsan Rasheed On Tue, Nov 25, 2014 at 2:34 PM, David White, Jr. (dwhitejr) < dwhit...@cisco.com> wrote: > Hi Ahsan, > > The customer cannot configure the 'same' IP address on both ASAs in an > Active/Standby pair. > Each ASA's outside interface must have it's own IP (or the Standby could > be configured without an IP - but in that case the physical interface > would not be monitored for all failures). > > When the ASAs failover, they swap both IPs and MAC addresses - > therefore, they shouldn't run into a 'duplicate MAC' case. Both ASAs > will send out GARPs to update the CAM/ARP tables of adjacent devices. > > Why isn't configuring a /29 acceptable to the customer? It is the only > way to allow the ASA pair the IPs it needs to have failover configured > properly. > > Sincerely, > > David. > > On 11/25/2014 11:50 AM, Ahsan Rasheed wrote: > > Hi Guys, > > > > > > > > Actually I would like to know if you guys can provide me the solution on > > below issue. > > > > > > > > we are providing internet to one of our customer. our Connection is > > connected on customer onsite 3 com switch. on 3com switch, his two ASA > > firewalls are connected, Primary/Secondary as Active/Standby. > > > > We are providing /30 IP to customer. So customer is using single public > IP > > address on both ASA firewalls. He is having issue of duplicate Mac > address > > on his side when his primary ASA fails, his fail-over is not working > unless > > he reboots the connection between us. > > > > > > > > 1.So the temporary solution customer has to reboot the connection every > > time to make it work on fail-over or We (ISP) has to clear the arp from > our > > core switch. This solution is manual, customer wants to do fail-over > > automatically. > > > > > > > > 2. I asked customer to use /29 IP on their side we can provide so he can > > use different public IP’s on both firewalls. He denied to use /29.He > urged > > to use single public IP on both ASA firewalls. > > > > > > > > 3. I asked customer to use router facing to us and use /30 IP on router. > He > > denied to use router between us & firewalls. > > > > > > > > Any other solution is possible, can we(ISP) use on our side to clear his > > arp automatically when his primary ASA firewall drops the connection and > > try to connect the secondary firewall same public IP but different Mac > > address. > > > > > > > > > > > > Thanks & Regards, > > Ahsan Rasheed > > _______________________________________________ > > cisco-nsp mailing list cisco-nsp@puck.nether.net > > https://puck.nether.net/mailman/listinfo/cisco-nsp > > archive at http://puck.nether.net/pipermail/cisco-nsp/ > > _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/