Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1106
Views
0
Helpful
4
Replies

ASA failover with standby address

mikedelafield
Level 1
Level 1

‎04-12-2008 03:58 AM - edited ‎03-11-2019 05:30 AM

we have an ASA configured for failover and all the interfaces are monitored and failover correctly except for one interface "inside".

The only difference is that the "inside" interface is configured with a standby address

interface Ethernet1

nameif inside

security-level 100

ip address 192.168.1.1 255.255.255.0 standby 192.168.1.2

The firewall seems to be set as Active/Active. Could this be the issue?

Thanks.

Labels:
0 Helpful
4 Replies 4

mikedelafield
Level 1
Level 1

‎04-12-2008 04:30 AM

I have now removed the standby entry, but have noticed when I enter the command "Show monitor-interface" that the LAN interface does not say "(waiting)"; simply Normal.

Does this suggest it is not setup correctly?

This host: Primary - Active

Interface outside (217.112.81.130): Normal (Waiting)

Interface inside (10.102.1.1): Normal

Interface mgm (192.168.5.1): Normal (Waiting)

Other host: Secondary - Standby Ready

Interface outside (0.0.0.0): Normal (Waiting)

Interface inside (0.0.0.0): Normal

Interface mgm (0.0.0.0): Normal (Waiting)

The "monitor-interface inside" command IS present though in the running-config.

Help i don't understand!

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to mikedelafield

‎04-12-2008 09:33 AM

Mike,

This is not normal, this indicates there is no synch between standby unit and active unit , the interfaces are not being monitor by the standby towards the active.

What you need to do is to make sure that stanby interfaces are indeed connected on the same vlans as your Active unit interfaces vlans, after you confirm this is fine in terms of vlans configurations on the switch, issue on the Primary unit first failover then after that issue the same command on the standby unit, this sequence will make stanby to sync with primary and pools is configuration as well as become standby.

Before you do all this above read this link first carefully so that you can get a picture of what needs to be done and cover every angle to ensure you meet all requirements for Active/Standby configurations.

See the end of the link for troubleshooting tips.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml

If you still have problems reply to help you out.

HTH

Rgds

Jorge

Jorge Rodriguez
0 Helpful

mikedelafield
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎04-13-2008 11:43 PM

i have no standby IP addresses configured....

the failover works fine on all the other interfaces except for "inside"

what is confusing me is that the firewall says it is set to Active/Active.

could this be why it didn't fail over when it had a Standby IP address configured?

0 Helpful

mikedelafield
Level 1
Level 1
In response to mikedelafield

‎04-14-2008 12:54 AM

i think "(Waiting)" is normal when you have no standby IP Address configured.

See below;

If you do not enter a failover IP address, the show failover command displays 0.0.0.0 for the IP address and interface monitoring remains in a waiting state. Refer to the show failover section of the Cisco Security Appliance Command Reference, Version 7.2 for more information about the different failover states.

I guess my concern is that when we had a Standby address configured on the "inside" interface it did not failover as expected when the network cable was pulled.

Could this be because of the Active/Active setting?

Help!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card