01-15-2009 07:29 AM - edited 03-11-2019 07:37 AM
I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-
1) If I fail the switch that the ASA connects to, failover does not occur.
2) If I power off the primary ASA the the secondary unit becomes active.
3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.
am I missing something obvious? - would anyone be able to help me to resolve this issue please.
many thanks
Keith
01-15-2009 08:06 AM
Keith-
How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?
01-15-2009 08:11 AM
they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface
01-15-2009 08:15 AM
A single switch or are they redundant as well?
01-15-2009 08:17 AM
yes they are redundant as well - a pair of 4500's 10G link between them.
sh failover on primary and standby firewalls looks good
01-15-2009 08:24 AM
When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?
01-15-2009 08:36 AM
yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.
01-15-2009 08:47 AM
Could you post the following?
show failover
show failover interface
show interface [of the failover interfaces]
01-15-2009 09:24 AM
01-15-2009 10:05 AM
Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?
01-15-2009 10:19 AM
no, they are configured on a separate vlan just for the failover interfaces.
01-15-2009 10:28 AM
I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?
ping 192.168.52.1 to 192.168.52.2 and visa-versa?
01-15-2009 10:29 AM
yes
01-15-2009 10:31 AM
You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?
01-15-2009 10:34 AM
apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide