Both ASA firewalls become ACTIVE in Active/Standby failover

Unanswered Question
Oct 11th, 2009
User Badges:

Hi All,


Two ASA 5520 firewalls running with Cisco Adaptive Security Appliance Software Version 8.0(3), are configured for active/standby failover.

Firewalls are connected directly using cross-over cable.

Everything was working fine.


But, from past few days both become active, which causes network to fluctuate.


I am attaching a document along with this post, where I have tabulated all the actions carried out to test active/standby failover. Everything seems to be fine at that moment. After few days,all of a sudden both firewalls become active.


Please suggest some workaround for the above scenario.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Herbert Baerten Sun, 10/11/2009 - 23:58
User Badges:
  • Cisco Employee,

So after the tests you did (for which the results seem normal), they were in active/standby again. After how much time did they both become active again?

What do the syslogs say when this happens?

Also check "show failover" and "show failover history".

nagabhushana.k Wed, 10/14/2009 - 20:51
User Badges:

Hi,


Thank you for the reply.

Unfortunately I am not able to solve the problem yet.


Q: After how much time did they both become active again?

After a 5-6 days of time, they become active. This results in drop of packets.


Q: What do the syslogs say when this happens?

Unfortunately syslog messages are not available now.


So, I am attaching a file which contains output for both "show failover" and "show failover history".


As per my knowledge, it seems there might be a problem with failover cable.


Since there will be a fluctuation in traffic, is it a problem with "failover polltime", which is set to 1 sec.


Also, I have checked speed and duplex on failover interfaces of both firewalls. They are set to Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps) respectively.




Attachment: 
Herbert Baerten Wed, 10/14/2009 - 23:26
User Badges:
  • Cisco Employee,

It definitely looks like a problem with the failover communication. Show failover indicates that the primary does not detect the secondary:


Other host: Secondary - Not Detected


And "show failover history" indicates that it because active because no active unit was detected at boot time:


15:09:34 IST Oct 14 2009

Negotiation Just Active No Active unit found


Or was the secondary perhaps booting at that time?


What do these same commands tell you right now, and both on the primary and on the secondary?


Also, you referred to "the failover cable", do you mean that the failover interfaces are directly connected to each other using a crossover cable?


Auto-Duplex(Half-duplex) seems to indicate that the other side is set to Full-Duplex (hardcoded). So if they are connected through a switch, set the switchports to auto/auto. Alternatively, set the ASA ports to 100/full hardcoded.


Polltime of 1 sec is ok, I see your holdtime is 15 sec so we would have to miss 15 hello packets for failover to break. I doubt that this is caused by the duplex issue.


Getting syslogs of the next occurrence may help, as may "show console".

nagabhushana.k Wed, 10/14/2009 - 23:47
User Badges:

Hi,


Thank you for your reply.


Q: Do you mean that the failover interfaces are directly connected to each other using a crossover cable?


Yes. Failover interfaces are directly connected using a crossover cable.


Duplex information on both firewalls for failover interface reveals that they are set to auto(half-duplex).


From the perspective of end station in LAN, there is an alternative packet drop. I mean if I ping to any outside website, i can observe alternative "Request timed out".

Is this a problem due to low polltime? If not, what could be the cause for this to happen?




Actions

This Discussion