stateful Failover not functioning correctly

Unanswered Question
Jan 15th, 2009
User Badges:

I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-

1) If I fail the switch that the ASA connects to, failover does not occur.

2) If I power off the primary ASA the the secondary unit becomes active.

3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.


am I missing something obvious? - would anyone be able to help me to resolve this issue please.


many thanks


Keith


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 01/15/2009 - 08:06
User Badges:
  • Purple, 4500 points or more

Keith-


How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?

KeithN123 Thu, 01/15/2009 - 08:11
User Badges:

they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface


Collin Clark Thu, 01/15/2009 - 08:15
User Badges:
  • Purple, 4500 points or more

A single switch or are they redundant as well?

KeithN123 Thu, 01/15/2009 - 08:17
User Badges:

yes they are redundant as well - a pair of 4500's 10G link between them.

sh failover on primary and standby firewalls looks good


Collin Clark Thu, 01/15/2009 - 08:24
User Badges:
  • Purple, 4500 points or more

When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?

KeithN123 Thu, 01/15/2009 - 08:36
User Badges:

yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.


Collin Clark Thu, 01/15/2009 - 08:47
User Badges:
  • Purple, 4500 points or more

Could you post the following?


show failover

show failover interface

show interface [of the failover interfaces]


Collin Clark Thu, 01/15/2009 - 10:05
User Badges:
  • Purple, 4500 points or more

Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?

KeithN123 Thu, 01/15/2009 - 10:19
User Badges:

no, they are configured on a separate vlan just for the failover interfaces.


Collin Clark Thu, 01/15/2009 - 10:28
User Badges:
  • Purple, 4500 points or more

I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?


ping 192.168.52.1 to 192.168.52.2 and visa-versa?

Collin Clark Thu, 01/15/2009 - 10:31
User Badges:
  • Purple, 4500 points or more

You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?

KeithN123 Thu, 01/15/2009 - 10:34
User Badges:

apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.

KeithN123 Thu, 01/15/2009 - 15:49
User Badges:

Collin -


when the ASA's are both up, I can ping 192.168.54.1 from 192.168.54.2 and visa versa....when they are failed over I can't ping.

Collin Clark Thu, 01/15/2009 - 08:22
User Badges:
  • Purple, 4500 points or more

A single switch or are they redundant as well?

Actions

This Discussion