stateful Failover not functioning correctly

KeithN123 · ‎01-15-2009

I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-

1) If I fail the switch that the ASA connects to, failover does not occur.

2) If I power off the primary ASA the the secondary unit becomes active.

3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.

am I missing something obvious? - would anyone be able to help me to resolve this issue please.

many thanks

Keith

Collin Clark · ‎01-15-2009

Keith-

How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?

KeithN123 · ‎01-15-2009

they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface

Collin Clark · ‎01-15-2009

A single switch or are they redundant as well?

KeithN123 · ‎01-15-2009

yes they are redundant as well - a pair of 4500's 10G link between them.

sh failover on primary and standby firewalls looks good

Collin Clark · ‎01-15-2009

When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?

KeithN123 · ‎01-15-2009

yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.

Collin Clark · ‎01-15-2009

Could you post the following?

show failover

show failover interface

show interface [of the failover interfaces]

KeithN123 · ‎01-15-2009

posted show failover

Collin Clark · ‎01-15-2009

Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?

KeithN123 · ‎01-15-2009

no, they are configured on a separate vlan just for the failover interfaces.

Collin Clark · ‎01-15-2009

I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?

ping 192.168.52.1 to 192.168.52.2 and visa-versa?

KeithN123 · ‎01-15-2009

yes

Collin Clark · ‎01-15-2009

You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?

KeithN123 · ‎01-15-2009

apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.