Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1642
Views
0
Helpful
4
Replies

Active/Standby Failover

Go to solution
nagabhushana.k
Level 1
Level 1

‎09-29-2009 01:24 AM - edited ‎03-11-2019 09:20 AM

Hi all,

I have following questions about Active/Standby failover between 2 ASA firewalls.

Question 1: Can we monitor interfaces' failure of active firewall, so that failover happens and standby takes over.

What i mean is, if HSRP is configured on two routers and an interface is being tracked for failure and that interface fails, then priority of the router decremented so that the secondary router takes over.

In similar way, is it possible to track interfaces of active firewall, so that as soon as interface(s) fail, standby can take over.

Question 2: What is the use of monitor-interface {interface name} command? Is this command used for above mentioned purpose?

Question 3: What does "Interface failure on active unit above threshold" means?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Saurabh Kishore
Level 1
Level 1
In response to nagabhushana.k

‎10-06-2009 06:04 PM

Hi,

As per the attached diagram you seem to have configured 2 interfaces on the firewall.

Monitoring of physical interfaces is enabled by default when you enable failover.

However if there are logical interfaces in your configuration then if you wish to enable monitoring for logical interfaces then you need to manually enable it.

By default failover interface-policy has value 1

failover interface-policy num%

num Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces when used as a number.

so if you use

failover interface-policy 50%

or by default : failover interface-policy 1

it is one and the same thing

you can get the detailed information about this command in the link below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927458

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jon Marshall
Hall of Fame
Hall of Fame

‎09-29-2009 06:07 AM

Q1 - yes you can. although you don't track another interface in the same way

Q2 - failover occurs for a number of reasons. One of the reasons could be failure of an interface. The monitor-interface command is how you keep track of an interface. So you monitor those interfaces that if they fail you want the firewall to failover. You can set a % of failed interfaces that must occur before failing over.

Q3 - the % mentioned above is the the threshold set above which the firewall will failover.

Jon

0 Helpful

Go to solution
nagabhushana.k
Level 1
Level 1
In response to Jon Marshall

‎09-30-2009 02:25 AM

Thank you very much for your reply.

I have couple of more questions to ask. In order to make the scenario little bit clear, I am attaching a simple network diagram along with this post.

I have configured active/standby failover between 2 ASAs. Ethernet 0 being named as “outside” and Ethernet 1 as “inside”. Everything is working fine.

If I issue a command “show running-config monitor-interface”, the output displays that both outside and inside interfaces are being monitored on active as well as standby firewall.

Question 1: If I use the command “failover interface-policy 50%” in configuration mode, what will be its effect on the failover? Does it mean that if one interface out of two fails (which makes 50%), then failover should happen?

Question 2: Does command “failover interface-policy 1” instead of “failover interface-policy 50%” will perform the same operation, considering the network diagram attached with this post.

Preview file
45 KB
0 Helpful

Go to solution
Saurabh Kishore
Level 1
Level 1
In response to nagabhushana.k

‎10-06-2009 06:04 PM

Hi,

As per the attached diagram you seem to have configured 2 interfaces on the firewall.

Monitoring of physical interfaces is enabled by default when you enable failover.

However if there are logical interfaces in your configuration then if you wish to enable monitoring for logical interfaces then you need to manually enable it.

By default failover interface-policy has value 1

failover interface-policy num%

num Specifies a number from 1 to 100 when used as a percentage, or 1 to the maximum number of interfaces when used as a number.

so if you use

failover interface-policy 50%

or by default : failover interface-policy 1

it is one and the same thing

you can get the detailed information about this command in the link below:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/ef.html#wp1927458

0 Helpful

Go to solution
nagabhushana.k
Level 1
Level 1
In response to Saurabh Kishore

‎10-06-2009 08:22 PM

Hi Kishor,

Thank you very much for your reply.

It has cleared my doubts about "failover interface-policy".

I really appreciate your help.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card