cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
793
Views
0
Helpful
16
Replies

stateful Failover not functioning correctly

KeithN123
Level 1
Level 1

I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-

1) If I fail the switch that the ASA connects to, failover does not occur.

2) If I power off the primary ASA the the secondary unit becomes active.

3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.

am I missing something obvious? - would anyone be able to help me to resolve this issue please.

many thanks

Keith

16 Replies 16

Collin Clark
VIP Alumni
VIP Alumni

Keith-

How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?

they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface

A single switch or are they redundant as well?

yes they are redundant as well - a pair of 4500's 10G link between them.

sh failover on primary and standby firewalls looks good

When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?

yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.

Could you post the following?

show failover

show failover interface

show interface [of the failover interfaces]

posted show failover

Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?

no, they are configured on a separate vlan just for the failover interfaces.

I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?

ping 192.168.52.1 to 192.168.52.2 and visa-versa?

yes

You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?

apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: