In my setup, each ASA has a different IP. When the failover becomes active, it assumes the IP of the active unit, and when the primary comes back online, it assumes the IP of the failover unit. The documentation for this setup can also be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html Active/Standby Failover Overview Active/Standby failover enables you to use a standby ASA to take over the functionality of a failed unit. When the active unit fails, it changes to the standby state while the standby unit changes to the active state. The unit that becomes active assumes the IP addresses (or, for transparent firewall, the management IP address) and MAC addresses of the failed unit and begins passing traffic. The unit that is now in standby state takes over the standby IP addresses and MAC addresses. Because network devices see no change in the MAC to IP address pairing, no ARP entries change or time out anywhere on the network. Scott On Tue, Nov 25, 2014 at 9:50 AM, Ahsan Rasheed <ahsanrashe...@gmail.com> wrote: > Hi Guys, > > > > Actually I would like to know if you guys can provide me the solution on > below issue. > > > > we are providing internet to one of our customer. our Connection is > connected on customer onsite 3 com switch. on 3com switch, his two ASA > firewalls are connected, Primary/Secondary as Active/Standby. > > We are providing /30 IP to customer. So customer is using single public IP > address on both ASA firewalls. He is having issue of duplicate Mac address > on his side when his primary ASA fails, his fail-over is not working unless > he reboots the connection between us. > > > > 1.So the temporary solution customer has to reboot the connection every > time to make it work on fail-over or We (ISP) has to clear the arp from our > core switch. This solution is manual, customer wants to do fail-over > automatically. > > > > 2. I asked customer to use /29 IP on their side we can provide so he can > use different public IP’s on both firewalls. He denied to use /29.He urged > to use single public IP on both ASA firewalls. > > > > 3. I asked customer to use router facing to us and use /30 IP on router. He > denied to use router between us & firewalls. > > > > Any other solution is possible, can we(ISP) use on our side to clear his > arp automatically when his primary ASA firewall drops the connection and > try to connect the secondary firewall same public IP but different Mac > address. > > > > > > Thanks & Regards, > Ahsan Rasheed > _______________________________________________ > cisco-nsp mailing list cisco-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/cisco-nsp > archive at http://puck.nether.net/pipermail/cisco-nsp/ _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
