http://www.tunnelsup.com/cisco-asa-troubleshooting-failover-when-failover-is-off
Break failover, and the pair can wind up with the same MAC addresses.
:zomgwtfbbq:
Yes, you heard right. One unit or the other completely forgets the MAC address that it used to have, even after a reboot.
:facepalm1:
Which is really fun to discover when you're dealing with a limited outage window and you got lots of rule updates to get done.
:frustration:
Doesn't help when a manager is on the line and hears, "This is going to take a while to fix... hope it doesn't mean we can't do HA..."
:phone:
So, we're going to manually set a number of MAC addresses tomorrow. Buddy of mine said they had to do the same thing to the new ASAs in the datacenter...
:yeahright:
Way to go, Cisco.
:printer:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/ha_active_standby.html#wp1097271
Holy crapfish, Cisco knows about it... says one should define a standby MAC address...
And they couldn't have written just a little bit more code to do it automatically? Sheesh... :developers:
The longer I'm away from ASA's the less I miss them. I'd choose a Cisco switch over another brand any day, but firewall...
I'll say this: I really do like the way ASDM can show and filter real-time traffic. It has been a huge help to be able to watch and wait and not be the king of hitting refresh.