SNMP problem to a passive failover ASA5520 over VPN

Unanswered Question

I have a pair of ASA5520 units at the remote end of a site to site VPN tunnel.

I have an NMS package managing/monitoring all of my devices at the remote end, including the ASA units themselves. However, although I can get access to and reports from the active unit, I get nothing from the passive unit.

On the active unit I can get SNMP, run ASDM, ping, etc from my end of the tunnel. On the passive I get none of these.

Can anyone give me any suggestions as to the cause ?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
tprendergast Mon, 09/28/2009 - 13:07
User Badges:
  • Silver, 250 points or more

The two units are running in active/passive, meaning the secondary unit is *only* listening to the heartbeat traffic and taking config replication.

You will not be able to access the secondary unit at all unless it fails over and becomes the primary, at which point it assumes the same IP's, MACs, etc. That means no SNMP, no ICMP, no ssh... If you use the OIDs from the ASA MIBs, you can actually collect statistics from the secondary unit off the primary (at a minimum -- is it up, is it actively behaving as secondary, etc).

Even though you put a secondary IP and such on the passive unit, it won't actually take any traffic on those layer 3 interfaces as it is not really active.

When failover occurs (ie, the primary fails to respond to 3 heartbeats on the failover link), the secondary will ARP the virtual MAC addresses that were active on the primary unit before it failed. You then have some ARP convergence required on the network for traffic to flow effectively. Something neat to know -- if the secondary unit comes up before your first unit, it will use the burned-in local MAC addresses on the interfaces for the virtual MACs, and will replace them once it learns the virtuals from the primary when it comes back up.


This Discussion