Symptom
On a firewall HA setup, in transparent mode, when using a MAC capture with a specific filter, packets are not seen all the time:
capture CAP1 type raw-data interface NET100 [Capturing - 0 bytes]
match mac any 0100.0ccd.cdcd ffff.ffff.ffff
Trigger a failover event. You should see the Active firewall generating UplinkFast dummy packets for every MAC learned.
firepower# failover active
Switching to Active
On the Active unit, in the captures that have the MAC filter you see nothing:
firepower# show capture
capture CAP1 type raw-data interface NET100 [Capturing - 0 bytes]
match mac any 0100.0ccd.cdcd ffff.ffff.ffff
capture CAP2 type raw-data interface NET101 [Capturing - 0 bytes]
match mac any 0100.0ccd.cdcd ffff.ffff.ffff
capture CAP3 type raw-data interface NET100 [Capturing - 5550 bytes]
capture CAP4 type raw-data interface NET101 [Capturing - 6334 bytes]
On the same unit, in the captures that do not have MAC filter, you see frames with dst MAC 0100.0ccd.cdcd:
firepower# show capture CAP3 detail | i cdcd
13: 11:00:45.221210 4c4e.35fc.fcd8 0100.0ccd.cdcd 0x8100 Length: 82
14: 11:00:45.221393 c4c6.0384.6a52 0100.0ccd.cdcd 0x8100 Length: 82
15: 11:00:45.221683 0017.dfd6.ec00 0100.0ccd.cdcd 0x8100 Length: 82
On the Standby unit you see the 0100.0ccd.cdcd frames in all captures:
firepower#
Switching to Standby
firepower# sh cap
capture CAP1 type raw-data interface NET100 [Capturing - 294 bytes]
match mac any 0100.0ccd.cdcd ffff.ffff.ffff
capture CAP2 type raw-data interface NET101 [Capturing - 1078 bytes]
match mac any 0100.0ccd.cdcd ffff.ffff.ffff
capture CAP3 type raw-data interface NET100 [Capturing - 55884 bytes]
capture CAP4 type raw-data interface NET101 [Capturing - 47536 bytes]
firepower# show capture CAP3 det | i cdcd
474: 11:00:44.988428 4c4e.35fc.fcd8 0100.0ccd.cdcd 0x8100 Length: 82
475: 11:00:44.988581 c4c6.0384.6a52 0100.0ccd.cdcd 0x8100 Length: 82
Conditions
- Transparent FW
- HA setup
- Failover event
- Capture with MAC filter for destination MAC 0100.0ccd.cdcd
