ASA failover with standby address

Unanswered Question
Apr 12th, 2008
User Badges:

we have an ASA configured for failover and all the interfaces are monitored and failover correctly except for one interface "inside".


The only difference is that the "inside" interface is configured with a standby address


interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2


The firewall seems to be set as Active/Active. Could this be the issue?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
mikedelafield Sat, 04/12/2008 - 04:30
User Badges:

I have now removed the standby entry, but have noticed when I enter the command "Show monitor-interface" that the LAN interface does not say "(waiting)"; simply Normal.


Does this suggest it is not setup correctly?


This host: Primary - Active

Interface outside (217.112.81.130): Normal (Waiting)

Interface inside (10.102.1.1): Normal

Interface mgm (192.168.5.1): Normal (Waiting)


Other host: Secondary - Standby Ready


Interface outside (0.0.0.0): Normal (Waiting)

Interface inside (0.0.0.0): Normal

Interface mgm (0.0.0.0): Normal (Waiting)


The "monitor-interface inside" command IS present though in the running-config.


Help i don't understand!

JORGE RODRIGUEZ Sat, 04/12/2008 - 09:33
User Badges:
  • Green, 3000 points or more

Mike,


This is not normal, this indicates there is no synch between standby unit and active unit , the interfaces are not being monitor by the standby towards the active.


What you need to do is to make sure that stanby interfaces are indeed connected on the same vlans as your Active unit interfaces vlans, after you confirm this is fine in terms of vlans configurations on the switch, issue on the Primary unit first failover then after that issue the same command on the standby unit, this sequence will make stanby to sync with primary and pools is configuration as well as become standby.


Before you do all this above read this link first carefully so that you can get a picture of what needs to be done and cover every angle to ensure you meet all requirements for Active/Standby configurations.


See the end of the link for troubleshooting tips.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml



If you still have problems reply to help you out.


HTH

Rgds

Jorge




mikedelafield Sun, 04/13/2008 - 23:43
User Badges:

i have no standby IP addresses configured....


the failover works fine on all the other interfaces except for "inside"


what is confusing me is that the firewall says it is set to Active/Active.


could this be why it didn't fail over when it had a Standby IP address configured?

mikedelafield Mon, 04/14/2008 - 00:54
User Badges:

i think "(Waiting)" is normal when you have no standby IP Address configured.


See below;


If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address and interface monitoring remains in a waiting state. Refer to the show failover section of the Cisco Security Appliance Command Reference, Version 7.2 for more information about the different failover states.


I guess my concern is that when we had a Standby address configured on the "inside" interface it did not failover as expected when the network cable was pulled.


Could this be because of the Active/Active setting?


Help!

Actions

This Discussion