Both ASA firewalls become ACTIVE in Active/Standby failover

nagabhushana.k · ‎10-11-2009

Hi All,

Two ASA 5520 firewalls running with Cisco Adaptive Security Appliance Software Version 8.0(3), are configured for active/standby failover.

Firewalls are connected directly using cross-over cable.

Everything was working fine.

But, from past few days both become active, which causes network to fluctuate.

I am attaching a document along with this post, where I have tabulated all the actions carried out to test active/standby failover. Everything seems to be fine at that moment. After few days,all of a sudden both firewalls become active.

Please suggest some workaround for the above scenario.

Herbert Baerten · ‎10-11-2009

So after the tests you did (for which the results seem normal), they were in active/standby again. After how much time did they both become active again?

What do the syslogs say when this happens?

Also check "show failover" and "show failover history".

nagabhushana.k · ‎10-14-2009

Hi,

Thank you for the reply.

Unfortunately I am not able to solve the problem yet.

Q: After how much time did they both become active again?

After a 5-6 days of time, they become active. This results in drop of packets.

Q: What do the syslogs say when this happens?

Unfortunately syslog messages are not available now.

So, I am attaching a file which contains output for both "show failover" and "show failover history".

As per my knowledge, it seems there might be a problem with failover cable.

Since there will be a fluctuation in traffic, is it a problem with "failover polltime", which is set to 1 sec.

Also, I have checked speed and duplex on failover interfaces of both firewalls. They are set to Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps) respectively.

Herbert Baerten · ‎10-14-2009

It definitely looks like a problem with the failover communication. Show failover indicates that the primary does not detect the secondary:

Other host: Secondary - Not Detected

And "show failover history" indicates that it because active because no active unit was detected at boot time:

15:09:34 IST Oct 14 2009

Negotiation Just Active No Active unit found

Or was the secondary perhaps booting at that time?

What do these same commands tell you right now, and both on the primary and on the secondary?

Also, you referred to "the failover cable", do you mean that the failover interfaces are directly connected to each other using a crossover cable?

Auto-Duplex(Half-duplex) seems to indicate that the other side is set to Full-Duplex (hardcoded). So if they are connected through a switch, set the switchports to auto/auto. Alternatively, set the ASA ports to 100/full hardcoded.

Polltime of 1 sec is ok, I see your holdtime is 15 sec so we would have to miss 15 hello packets for failover to break. I doubt that this is caused by the duplex issue.

Getting syslogs of the next occurrence may help, as may "show console".

nagabhushana.k · ‎10-14-2009

Hi,

Thank you for your reply.

Q: Do you mean that the failover interfaces are directly connected to each other using a crossover cable?

Yes. Failover interfaces are directly connected using a crossover cable.

Duplex information on both firewalls for failover interface reveals that they are set to auto(half-duplex).

From the perspective of end station in LAN, there is an alternative packet drop. I mean if I ping to any outside website, i can observe alternative "Request timed out".

Is this a problem due to low polltime? If not, what could be the cause for this to happen?