Problem
How to find a real interface MAC address on HA ASA cluster node.
Resolution
There are no floating IPs in ASA cluster design. Instead there active IP will be moved between the ASA nodes when a failover occurs. For guys who work on different cluster implementation it may be very confusing.
When a firewall is part of an HA active/standby cluster the physical interface MAC address (showed in the output form sh interface) and the IP assigned to it has always a value of the primary unit.
When a failover happens both ASAs swaps IP and MAC during.
For example, if we have assigned an IP 1.1.1.1 to the primary unit on our ASA cluster this IP will be once held by the unit A once by the unit B. That means, when you try to connect to this IP you never know to what physical ASA unit you are actually connecting.
To find out the real MAC of an interface you need to look at the sh version output.
fw-1092388-553262/pri/stby# sh ver | i Gig
0: Ext: GigabitEthernet0/0 : address is 1111.aaaa.deea, irq 9 ------ real address on the ASA
1: Ext: GigabitEthernet0/1 : address is 1111.aaaa.deeb, irq 9
2: Ext: GigabitEthernet0/2 : address is 1111.aaaa.deec, irq 9
3: Ext: GigabitEthernet0/3 : address is 1111.aaaa.deed, irq 9
fw-1092388-553262/pri/stby# sh int | i MAC|Int
Interface GigabitEthernet0/0 "outside", is up, line protocol is up
MAC address 2222.fd52.ac28, MTU 1500 ------ active MAC that migrates every time a failover happens
Best practice
If you want to know to what physical ASA unit you connected take a look at the output from sh version. Never relay on the values in sh int output.
References
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/ef.html#wp1929064
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html
Posts
No comments:
Post a Comment