01-15-2009 07:29 AM - edited 03-11-2019 07:37 AM
I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-
1) If I fail the switch that the ASA connects to, failover does not occur.
2) If I power off the primary ASA the the secondary unit becomes active.
3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.
am I missing something obvious? - would anyone be able to help me to resolve this issue please.
many thanks
Keith
01-15-2009 08:06 AM
Keith-
How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?
01-15-2009 08:11 AM
they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface
01-15-2009 08:15 AM
A single switch or are they redundant as well?
01-15-2009 08:17 AM
yes they are redundant as well - a pair of 4500's 10G link between them.
sh failover on primary and standby firewalls looks good
01-15-2009 08:24 AM
When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?
01-15-2009 08:36 AM
yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.
01-15-2009 08:47 AM
Could you post the following?
show failover
show failover interface
show interface [of the failover interfaces]
01-15-2009 09:24 AM
01-15-2009 10:05 AM
Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?
01-15-2009 10:19 AM
no, they are configured on a separate vlan just for the failover interfaces.
01-15-2009 10:28 AM
I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?
ping 192.168.52.1 to 192.168.52.2 and visa-versa?
01-15-2009 10:29 AM
yes
01-15-2009 10:31 AM
You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?
01-15-2009 10:34 AM
apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: