ASA Duplicate MAC Address Protip

Started by deanwebb, October 30, 2015, 10:08:27 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

deanwebb

October 30, 2015, 10:08:27 PM
http://www.tunnelsup.com/cisco-asa-troubleshooting-failover-when-failover-is-off

Break failover, and the pair can wind up with the same MAC addresses.

:zomgwtfbbq:

Yes, you heard right. One unit or the other completely forgets the MAC address that it used to have, even after a reboot.

:facepalm1:

Which is really fun to discover when you're dealing with a limited outage window and you got lots of rule updates to get done.

:frustration:

Doesn't help when a manager is on the line and hears, "This is going to take a while to fix... hope it doesn't mean we can't do HA..."

:phone:

So, we're going to manually set a number of MAC addresses tomorrow. Buddy of mine said they had to do the same thing to the new ASAs in the datacenter...

:yeahright:

Way to go, Cisco.

:printer:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

deanwebb

#1
October 31, 2015, 08:54:16 AM
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271

Holy crapfish, Cisco knows about it... says one should define a standby MAC address...

And they couldn't have written just a little bit more code to do it automatically? Sheesh... :developers:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Reggle

#2
November 02, 2015, 02:11:16 PM
The longer I'm away from ASA's the less I miss them. I'd choose a Cisco switch over another brand any day, but firewall...

deanwebb

#3
November 02, 2015, 02:31:02 PM
I'll say this: I really do like the way ASDM can show and filter real-time traffic. It has been a huge help to be able to watch and wait and not be the king of hitting refresh.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.
Print
Go Up Pages1
User actions