ASA Failover

Unanswered Question
Jun 10th, 2008
User Badges:
  • Bronze, 100 points or more

Dear All ,


I have two ASA's connected in a failover mode .The issue is that when the inside -switch 1 goes down active ASA (ASA-A ) is not coming to standby mode.

On the active ASA , I have made the configuration to monitor both inside and outside interface , when any of the interface goes down it should switch to standby , but it's not happening .

Please see the attached diagram


Regards

Haris



Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Haris P Tue, 06/10/2008 - 23:26
User Badges:
  • Bronze, 100 points or more

The Version is 7.0(4)12


The basic thing is I put the command "monitor-interface inside" and "monitor-interface outside|" in the configuration and the active one is not going down when the inside interface of the active unit goes down .



The attached is the show failover output in normal condition




francisco_1 Wed, 06/11/2008 - 01:09
User Badges:
  • Gold, 750 points or more

I see you are using LAN-based failover using management 0/0 interface.


Looks like the failover is active but they are failing because there is no link between the PORXY interfaces which is affecting your failover. Make sure that both devices can ping each other PROXY interfaces. you can deselect that interface for now and test your failover again.


I suggest you also upgrade the software because V7.0(4)12 is old.

jamesfang98 Wed, 06/11/2008 - 09:51
User Badges:

Can you also paste output:


show cpu

show run | include failover


The possible problems:


1. Proxy interface in standby ASA is not up and cannot take over active mode should failover happen.

Fix: ensure both proxy interface IP are pingable for each other


2. Your FW may be too busy (your CPU utilization can tell) so default unit poll interval 1second is too short

Fix: increase to say 5 seconds.



Pls rate if help


Haris P Wed, 06/11/2008 - 21:04
User Badges:
  • Bronze, 100 points or more

Dears ,


Very helpfull post


I put the command to monitor only inside and outside interfaces .


"no monitor-interface PROXY "


After that when Active ASA (ie ASA-A) inside interface is going down ,its switching back to standby (ie to ASA-S) .


But when Active ASA(ASA-A) inside interface coming back again it's not switching back ,


I want my ASA-A to come to active state when all interfaces come up again .


I tested by typing "failover active" on ASA-A to force ASA-A unit to become active , then its coming on active state again.


Any Clues ?


Regards

Haris

francisco_1 Wed, 06/11/2008 - 23:56
User Badges:
  • Gold, 750 points or more

because you are running active/standby in single mode, i dont think that's possible unless you have active/active mode then you can assign preempt to your failover group.

Actions

This Discussion