Active/Standby Failover Problem on 5510

Unanswered Question
Nov 6th, 2008
User Badges:

Hi


I recently configured failover on a pair of 5510 firewalls. The configuration is Active / Standby and was setup by the Wizard in the ASDM.


We tried a failover test this morning. As the firewalls are running OSPF I wasn't expecting an instant failover - however the LAN side failed over and reconnected me to the firewalls but the DMZ interface didn't (couldn't route to it) and the devices on the DMZ then couldn't be contacted from the LAN.


A bit of digging in the documentation suggested that I needed to enable MAC address failover. This I tried but after doing this I could only connect to the ADSM by using a local password as it was no longer accepting AAA user names!


Should mac address failover use the interface bia addresses or another address?


I am now rather confused... attached is the routing code from the firewall and the standby code as well



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Thu, 11/06/2008 - 20:15
User Badges:
  • Green, 3000 points or more

What link are you using as reference? take a look here in bellow link, in your config attached you are implementing regular failover, you may want to consider implementing stateful failover using the samge ethernet0/3 dedicated failover interface, see the link bellow for details for benefits of statefull versus regular failover.


http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml


as for:

however the LAN side failed over and reconnected me to the firewalls but the DMZ interface didn't (couldn't route to it) and the devices on the DMZ then couldn't be contacted from the LAN.


check physical connections of DMZ interfaces of ASA-Standby connecting to your switch vlan assigment , say if DMZ interface0/2 in Active-ASA is connected to switch VLAN3 the Standby-ASA DMZ ethernet0/2 must also be connected to VLAN3 ..


We tried a failover test this morning. As the firewalls are running OSPF I wasn't expecting an instant failover - however the LAN side failed over and reconnected me to the firewalls but the DMZ interface didn't (couldn't route to it) and the devices on the DMZ then couldn't be contacted from the LAN.


I believe the above isssue could be related to DMZ ethernet0/2 interface connectivity of standby not in right VLAN in switch, the theory of failover is that ACTIVE sends config to STANDBY as you write mem in ACTIVE-ASA you should be able to see the config in STANDBY which should incllude OSPF configuration , if you can confirm the consistency in DMZ ethernet0/2 and vlan assigments is correct we can the rule out physical issues and perhaps start to troubleshoot up higher .


Should mac address failover use the interface bia addresses or another address?


Take a look at the link I provided in stateful sections for beter understanding .



HTH

Jorge


Actions

This Discussion