Guest

Preview Tool

Cisco Bug: CSCtc32872 - TFW ENH: Management interface should operate in routed mode

Last Modified

Nov 09, 2016

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

8.0(4.32) 8.0(4.47) 8.0(5.4) 8.2(1)

Description (partial)

Symptom:

Currently ASA management0/0 interface learns MAC addresses in Transparent mode which can lead to data path traffic issues in case the same MAC address is learnt through the "inside" and "management" interfaces (MAC flapping).

The ASA prints the 412001message if a MAC flaps and this should not happen in a properly designed network, but the issue can be mitigated on the ASA too:

1) management0/0 interface should operate in routed mode. It shouldn't learn MAC addresses;

2) it shouldn't become operational until IP address is assigned to it. Currently the system doesn't check this - global IP address is assigned to management0/0.

Conditions:

ASA Transparent firewall with management0/0 being used and one of the following conditions met:

1) Upstream or downstraem L3 switch has the same MAC address on both "data" and "management" VLAN interfaces (the default for many Catalyst switches);

2) The same VLAN is used for data and management;

3) HSRP is used somehow and the same HSRP group is used in both "data" and "management" VLAN;

4) STP loop is introduced in the network somehow between "data" and "management" VLANs.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.