ASA Failover

Unanswered Question
Jun 10th, 2008

Dear All ,

I have two ASA's connected in a failover mode .The issue is that when the inside -switch 1 goes down active ASA (ASA-A ) is not coming to standby mode.

On the active ASA , I have made the configuration to monitor both inside and outside interface , when any of the interface goes down it should switch to standby , but it's not happening .

Please see the attached diagram

Regards

Haris

Attachment: 
I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Haris P Tue, 06/10/2008 - 23:26

The Version is 7.0(4)12

The basic thing is I put the command "monitor-interface inside" and "monitor-interface outside|" in the configuration and the active one is not going down when the inside interface of the active unit goes down .

The attached is the show failover output in normal condition

francisco_1 Wed, 06/11/2008 - 01:09

I see you are using LAN-based failover using management 0/0 interface.

Looks like the failover is active but they are failing because there is no link between the PORXY interfaces which is affecting your failover. Make sure that both devices can ping each other PROXY interfaces. you can deselect that interface for now and test your failover again.

I suggest you also upgrade the software because V7.0(4)12 is old.

jamesfang98 Wed, 06/11/2008 - 09:51

Can you also paste output:

show cpu

show run | include failover

The possible problems:

1. Proxy interface in standby ASA is not up and cannot take over active mode should failover happen.

Fix: ensure both proxy interface IP are pingable for each other

2. Your FW may be too busy (your CPU utilization can tell) so default unit poll interval 1second is too short

Fix: increase to say 5 seconds.

Pls rate if help

Haris P Wed, 06/11/2008 - 21:04

Dears ,

Very helpfull post

I put the command to monitor only inside and outside interfaces .

"no monitor-interface PROXY "

After that when Active ASA (ie ASA-A) inside interface is going down ,its switching back to standby (ie to ASA-S) .

But when Active ASA(ASA-A) inside interface coming back again it's not switching back ,

I want my ASA-A to come to active state when all interfaces come up again .

I tested by typing "failover active" on ASA-A to force ASA-A unit to become active , then its coming on active state again.

Any Clues ?

Regards

Haris

francisco_1 Wed, 06/11/2008 - 23:56

because you are running active/standby in single mode, i dont think that's possible unless you have active/active mode then you can assign preempt to your failover group.

Actions

This Discussion