Firewall failover..

Answered Question
May 19th, 2010
User Badges:

Hi support,


I show you below configration.



Primary configuration.........



failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
  preempt
  replication http


Secondary Configuration....................


failover
failover lan unit secondary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
  preempt
  replication http


ASA#fsh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failoverlink Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(2), Mate 8.0(2)
Group 1 last failover at: 00:19:48 IST May 20 2010


  This host:    Secondary
  Group 1       State:          Active
                Active time:    93 (sec)


                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
                  admin Interface intranet (10.190.10.1): Normal (Waiting)
                  admin Interface outside (50.4.90.6): Normal (Waiting)
                  admin Interface dmz (192.168.10.1): Normal (Waiting)
                  admin Interface INSIDE (192.168.40.1): Normal (Waiting)
                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
                  IPS, 5.1(6)E1, Up


  Other host:   Primary
  Group 1       State:          Failed
                Active time:    656 (sec)


                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Unknown/Unknown)
                  admin Interface intranet (0.0.0.0): Unknown (Waiting)
                  admin Interface outside (0.0.0.0): Unknown (Waiting)
                  admin Interface dmz (0.0.0.0): Unknown (Waiting)
                  admin Interface INSIDE (0.0.0.0): Unknown (Waiting)
                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Unknown/Unkn                                                                             own)
                  IPS, 5.1(6)E1, Unknown


Stateful Failover Logical Update Statistics
        Link : failoverlink Management0/0 (Failed)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         36         0          645        0
        sys cmd         36         0          36         0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          283        0
        UDP conn        0          0          107        0
        ARP tbl         0          0          219        0
        Xlate_Timeout   0          0          0          0
        SIP Session     0          0          0          0


        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       25      645
        Xmit Q:         0       1       36



hello can you tell me my below query...
1> why irs shown me waiting.

2>when my one port is gone down its not working to 2nd asa firewall


what i should change in configuration so i get proper result?

Correct Answer by Jennifer Halim about 7 years 2 months ago

The outside interface on the secondary firewall says failed. I would suggest that you check connectivity, cable, switch port which is connected to the outside interface of the secondary firewall. Make sure that you can ping out from that secondary firewall. Just checking basic interface connectivity, otherwise failover will not work as it checks the status of the interface before it can send keepalive to test the actual interface. If the interface itself is down/failed, then failover will not work.

Correct Answer by Jennifer Halim about 7 years 2 months ago

No, whichever device is the active firewall, will take over the primary ip address. The standby ip address will be assigned to the standby firewall so that the firewall can check each others interfaces to make sure that they are up. Otherwise, if it detected that the interface is down, it will failover to the other box.


If your primary is down, the secondary will become the active firewall, and it will use the primary ip address.


Since the primary ip address will always be assigned to whichever firewall is active, the default gateway will always be that primary ip address.


Hope that helps.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jennifer Halim Wed, 05/19/2010 - 21:35
User Badges:
  • Cisco Employee,

1> why irs shown me waiting ---> it's in waiting state because you have not configured the standby ip address for the standby firewall.


On each of the interface, you would need to configure "standby" ip address, for example:


interface gig0/1

     nameif inside

     ip address 192.168.40.1 255.255.255.0 standby 192.168.40.2


Once that is configured, under the show failover, you would actually see the ip address assigned to the standby firewall interface.


2>when my one port is gone down its not working to 2nd asa firewall ---> this is because your primary firewall is in failed state.

From the show failover output, you can see that:

Other host:   Primary
  Group 1       State:          Failed


You might want to check why the primary ASA is in failed state.


Hope that helps.

mitang.prajapati Thu, 05/20/2010 - 03:10
User Badges:

Yes, You are right.


Here, I am using managenment interface for failover, Now if i use to stand by IP on primary interface of all Port like outside, inside, Intranet,Inside. So its create two IP on interface.


Now, if my primary firewall down then My secondary firewall working with standby IP. am i right ?

or its working with same Interface IP.


And one more thing i want to aske you that my interface IP is gateway of other device so i have to use two IP for gateway?

Correct Answer
Jennifer Halim Thu, 05/20/2010 - 03:39
User Badges:
  • Cisco Employee,

No, whichever device is the active firewall, will take over the primary ip address. The standby ip address will be assigned to the standby firewall so that the firewall can check each others interfaces to make sure that they are up. Otherwise, if it detected that the interface is down, it will failover to the other box.


If your primary is down, the secondary will become the active firewall, and it will use the primary ip address.


Since the primary ip address will always be assigned to whichever firewall is active, the default gateway will always be that primary ip address.


Hope that helps.

mitang.prajapati Thu, 05/20/2010 - 06:42
User Badges:

Thank for your support,


I had configure standby IP on interface, Now on my outside interface still its shown me fail.


what should i do for remove fail?


after i given IP my secondary ASA is always in fail mode.


and what shold i modify configuration of below firewall?


Primary configuration.........



failover
failover lan unit primary
failover  lan interface failoverlink Management0/0
failover link failoverlink  Management0/0
failover interface ip failoverlink 2.2.2.2  255.255.255.0 standby 2.2.2.3
failover group 1
  preempt
   replication http


Secondary Configuration....................


failover
failover  lan unit primary
failover lan interface failoverlink Management0/0
failover  link failoverlink Management0/0
failover interface ip failoverlink  2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
  preempt
   replication http

Jennifer Halim Thu, 05/20/2010 - 14:48
User Badges:
  • Cisco Employee,

Can you please share the output of "show failover" as well as "sh run interface" from both firewall.

mitang.prajapati Thu, 05/20/2010 - 22:04
User Badges:

admin/ASA1# sh failover

Failover On

Last Failover at: 23:14:16 IST May 20 2010

        This context: Active

                Active time: 40170 (sec)

                  Interface intranet (10.190.10.1): Normal

                  Interface outside (50.4.90.6): Normal

                  Interface dmz (192.168.10.1): Normal

                  Interface INSIDE (192.168.40.1): Normal

        Peer context: Failed

                Active time: 3392 (sec)

                  Interface intranet (10.190.10.4): Normal

                  Interface outside (50.4.90.50): Failed (Waiting)

                  Interface dmz (192.168.10.2): Normal

                  Interface INSIDE (192.168.40.2): Normal


Stateful Failover Logical Update Statistics

        Status: Configured.

        Stateful Obj    xmit       xerr       rcv        rerr

        RPC services    0          0          0          0

        TCP conn        13883      0          0          0

        UDP conn        8631       0          0          0

        ARP tbl         22088      0          0          0

        Xlate_Timeout   0          0          0          0

        SIP Session     0          0          0          0

=================

admin/ASA1# sh run interface

!

interface GigabitEthernet0/0

  nameif intranet

security-level 40

ip address 10.190.10.1 255.255.255.0 standby 10.190.10.4

!

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 59.4.90.6 255.255.255.192

!

interface GigabitEthernet0/2

nameif dmz

security-level 50

ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2

!

interface GigabitEthernet0/3

nameif INSIDE

security-level 100

ip address 192.168.40.1 255.255.255.0 standby 192.168.40.2

==========================   system mode  ============================================

admin/ASA1# chang sys

ASA1# sh fail

ASA1# sh failover

Failover On

Failover unit Primary

Failover LAN Interface: failoverlink Management0/0 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

failover replication http

Version: Ours 8.0(2), Mate 8.0(2)

Group 1 last failover at: 23:14:16 IST May 20 2010


  This host:    Primary

  Group 1       State:          Active

                Active time:    40196 (sec)


                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)

                  admin Interface intranet (10.190.0.1): Normal

                  admin Interface outside (59.144.97.62): Normal

                  admin Interface dmz (192.168.1.1): Normal

                  admin Interface INSIDE (192.168.4.1): Normal

                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)

                  IPS, 5.1(6)E1, Up


  Other host:   Secondary

  Group 1       State:          Failed

                Active time:    3392 (sec)


                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)

                  admin Interface intranet (10.190.10.4): Normal

                  admin Interface outside (0.0.0.0): Failed (Waiting)

                  admin Interface dmz (192.168.10.2): Normal

                  admin Interface INSIDE (192.168.40.2): Normal

                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)

                  IPS, 5.1(6)E1, Up


Stateful Failover Logical Update Statistics

        Link : failoverlink Management0/0 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         50018      0          5305       0

        sys cmd         5305       0          5305       0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        13961      0          0          0

        UDP conn        8637       0          0          0

        ARP tbl         22115      0          0          0

        Xlate_Timeout   0          0          0          0

        SIP Session     0          0          0          0


        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       1       5305

        Xmit Q:         0       1       50023

ASA1#


+++++++++++++++++++++++++++++++++++++++


I had configure on ASA1= primary


failover

failover lan unit primary

failover lan interface failoverlink Management0/0

failover link failoverlinl Management0/0

failover interface ip failoverlink 2.2.2.2 255.255.255.0 standbyip 2.2.2.3

failover group 1

preempt

replication http


On ASA2 = secondary



failover

failover lan unit primary

failover  lan interface failoverlink Management0/0

failover link  failoverlinl Management0/0

failover interface ip failoverlink  2.2.2.2 255.255.255.0 standbyip 2.2.2.3

failover group 1

preempt

replication  http


i had change on ASA2 failover lan unit secondary then its not working and i not able to Ping on my interface.


its will go to stop working.


so if i configure ASA2 with above configuration (i.e failover lan unit primary )  then its working.


If there any nessary change plz tell me.

Jennifer Halim Thu, 05/20/2010 - 22:09
User Badges:
  • Cisco Employee,

It fails because you have not configure the standby ip address on the outside interface.


You have the following at the moment:

interface GigabitEthernet0/1

nameif outside

security-level 0

ip address 59.4.90.6 255.255.255.192   <-------- no standby ip address assigned


Please add a spare ip address from 59.4.90.0/26 subnet as the standby ip address for the outside interface.

mitang.prajapati Fri, 05/21/2010 - 04:02
User Badges:

I had do it.


Show below output..


admin/asa1#sh failover


Group 1 last failover at: 23:14:16 IST May 20 2010
  This host:    Primary
  Group 1       State:          Active
                Active time:    40196 (sec)


                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
                  admin Interface intranet (10.190.10.1): Normal
                  admin Interface outside (59.4.90.6): Normal
                  admin Interface dmz (192.168.1.1): Normal
                  admin Interface INSIDE (192.168.4.1): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
                  IPS, 5.1(6)E1, Up


   Other host:   Secondary
  Group 1       State:          Failed
                Active time:    3392 (sec)
                slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
                  admin Interface intranet (10.190.10.4): Normal
                  admin Interface outside (59.4.90.45): Failed (Waiting)
                  admin Interface dmz (192.168.10.2): Normal
                  admin Interface INSIDE (192.168.40.2): Normal
                slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
                  IPS, 5.1(6)E1, Up

Jennifer Halim Fri, 05/21/2010 - 16:40
User Badges:
  • Cisco Employee,

On the secondary firewall, it says "admin Interface outside (59.4.90.45): Failed (Waiting)".


Can you check if the outside interface on the secondary firewall is actually plugged into a switch port, and in the same vlan as the primary outside interface?

Please also check if the physical interface has been unshut. Basically just check normal interface connectivity, because as per the failover status, it says the interface failed.

mitang.prajapati Fri, 05/21/2010 - 21:08
User Badges:

Hi,


I had alredy check the status. and if i shutdown 1st ASA then its gone to 2nd ASA and all things are working Fine.

mitang.prajapati Sat, 05/22/2010 - 02:32
User Badges:

hello,


I had check with down 1st ASA fail and then traffic can travel from 2nd ASA.


any other way of solution.

Jennifer Halim Sat, 05/22/2010 - 03:51
User Badges:
  • Cisco Employee,

Sorry, what do you mean?

What is the status of the failover?

Have you fixed the outside interface of the firewall which is showing failed/down?

mitang.prajapati Sun, 05/23/2010 - 21:33
User Badges:

Sorry, what do you mean?


Means you can also seen that in show failover command output, there is failed. Ok Now but when i fail to 1st ASA then my all traffic going from 2nd firewall. i thing this you understand.


What  is the status of the failover?

As per your suggestion i configure on 1st ASA of outside interface with standby IP but still its not shown me normal state. its shown me failed state.


Have you fixed the outside  interface of the firewall which is showing failed/down?

No, And i had also check all cable are working fine.



Correct Answer
Jennifer Halim Mon, 05/24/2010 - 05:42
User Badges:
  • Cisco Employee,

The outside interface on the secondary firewall says failed. I would suggest that you check connectivity, cable, switch port which is connected to the outside interface of the secondary firewall. Make sure that you can ping out from that secondary firewall. Just checking basic interface connectivity, otherwise failover will not work as it checks the status of the interface before it can send keepalive to test the actual interface. If the interface itself is down/failed, then failover will not work.

mitang.prajapati Tue, 05/25/2010 - 08:07
User Badges:

hi,


I had checked all connectivity and do shut and no shut of my interface then its take live and all port on interfaceare normal state.


Thanks for support

Actions

This Discussion