When you configure your interfaces, you can specify an active IP
address and a standby IP address on the same network. Although recommended, the
standby address is not required. Without a standby IP address, the active unit
cannot perform network tests to check the standby interface health; it can only
track the link state. You also cannot connect to the standby unit on that
interface for management purposes.
When the primary unit fails over, the secondary unit assumes
the IP addresses and MAC addresses of the primary unit and begins passing
The unit that is now in standby state takes over the standby
IP addresses and MAC addresses.
Because network devices see no change in the MAC to IP address
pairing, no ARP entries change or time out anywhere on the network.
If the secondary unit boots without detecting the primary unit,
the secondary unit becomes the active unit and uses its own MAC addresses,
because it does not know the primary unit MAC addresses. However, when the
primary unit becomes available, the secondary (active) unit changes the MAC
addresses to those of the primary unit, which can cause an interruption in your
network traffic. Similarly, if you swap out the primary unit with new hardware,
a new MAC address is used.
MAC addresses guard against this disruption because the active MAC addresses
are known to the secondary unit at startup, and remain the same in the case of
new primary unit hardware.
You can manually configure virtual MAC addresses.
If you do not configure virtual MAC addresses, you might need to
clear the ARP tables on connected routers to restore traffic flow. The
Firepower Threat Defense
device does not send gratuitous ARPs for static NAT
addresses when the MAC address changes, so connected routers do not learn of
the MAC address change for these addresses.
The IP address and MAC address for the state link do not change
at failover; the only exception is if the state link is configured on a regular