stateful Failover not functioning correctly

Unanswered Question
Jan 15th, 2009

I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-

1) If I fail the switch that the ASA connects to, failover does not occur.

2) If I power off the primary ASA the the secondary unit becomes active.

3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.

am I missing something obvious? - would anyone be able to help me to resolve this issue please.

many thanks

Keith

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Thu, 01/15/2009 - 08:06

Keith-

How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?

KeithN123 Thu, 01/15/2009 - 08:11

they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface

KeithN123 Thu, 01/15/2009 - 08:17

yes they are redundant as well - a pair of 4500's 10G link between them.

sh failover on primary and standby firewalls looks good

Collin Clark Thu, 01/15/2009 - 08:24

When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?

KeithN123 Thu, 01/15/2009 - 08:36

yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.

Collin Clark Thu, 01/15/2009 - 08:47

Could you post the following?

show failover

show failover interface

show interface [of the failover interfaces]

Collin Clark Thu, 01/15/2009 - 10:05

Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?

KeithN123 Thu, 01/15/2009 - 10:19

no, they are configured on a separate vlan just for the failover interfaces.

Collin Clark Thu, 01/15/2009 - 10:28

I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?

ping 192.168.52.1 to 192.168.52.2 and visa-versa?

Collin Clark Thu, 01/15/2009 - 10:31

You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?

KeithN123 Thu, 01/15/2009 - 10:34

apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.

KeithN123 Thu, 01/15/2009 - 15:49

Collin -

when the ASA's are both up, I can ping 192.168.54.1 from 192.168.54.2 and visa versa....when they are failed over I can't ping.

Actions

This Discussion