Testing failover?

Unanswered Question
May 14th, 2010


I've configured failover in GNS between two ASAs. I'm doing this for real this weekend, but I've run into a snag. If I shut the outside interface on the primary, traffic stops and the standby doesn't take over. The standby works though because I can manually fail it over and it passes traffic just fine. Is shutting the interface not a good way to test this?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.3 (3 ratings)


If failover does not occur when the interface is close/shut - you have a config issue, you need to make sure the "outside" or any of the interfaces are monitored, you also should define either by the number of interfaces or % of failures the failover will kick in.  Including the polling times, hold times etc - you should apply this in your lab an real environment.


And just to be clear and clarify the "the interface is close/shut" this cannot be an interface on the PIX/ASA, it has to be the device directly connected to it i.e Switch/Router interface.

If you admin close the "outside" or "inside" or any interface used for monitoring - this is a config change and will be "replicated" to the failover mate, this will not initiate a failover situation.


John Blakley Fri, 05/14/2010 - 09:43

Thanks Andrew. Shutting the interface on the opposite side makes sense. All of the interfaces are monitored by default. I'm pretty confident that in a real environment, the ASA will fail over when I pull the link from the outside interface. I'm trying to reproduce the scenario if the interface itself went out.

I'm going to recreate my environment in GNS and try to shut the opposite end and see what happens.



Ahhh John,

The GNS3 lab - failover will not work for you in a virtual LAB - it must be an actual physical test lab, sorry I missed the "GNS" reference in the original post .  The issue is - the PIX/ASA are virtual machines - and as such "auto" provide ethernet keepalivesand assume a good interface....so shuting the other device down, will not being down the PIX/ASA interface.

Just to double check - fire up a PIX/ASA with no network connections to it in GNS3 and config 1 interface, then open it.  I'm pretty sure it will say up/up all the time!

I also think your real life failover test will pass 100%.


John Blakley Fri, 05/14/2010 - 10:08

I think you're right GNS is good for some things, but sometimes real world tests are the only way to prove something really works. I'm installing the standby this Sunday, so I think I'll be fine. In GNS I can manually failover and it works fine....

Thanks Andrew!



This Discussion