05-19-2010 09:21 PM - edited 03-11-2019 10:48 AM
Hi support,
I show you below configration.
Primary configuration.........
failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
preempt
replication http
Secondary Configuration....................
failover
failover lan unit secondary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
preempt
replication http
ASA#fsh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failoverlink Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(2), Mate 8.0(2)
Group 1 last failover at: 00:19:48 IST May 20 2010
This host: Secondary
Group 1 State: Active
Active time: 93 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
admin Interface intranet (10.190.10.1): Normal (Waiting)
admin Interface outside (50.4.90.6): Normal (Waiting)
admin Interface dmz (192.168.10.1): Normal (Waiting)
admin Interface INSIDE (192.168.40.1): Normal (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
IPS, 5.1(6)E1, Up
Other host: Primary
Group 1 State: Failed
Active time: 656 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Unknown/Unknown)
admin Interface intranet (0.0.0.0): Unknown (Waiting)
admin Interface outside (0.0.0.0): Unknown (Waiting)
admin Interface dmz (0.0.0.0): Unknown (Waiting)
admin Interface INSIDE (0.0.0.0): Unknown (Waiting)
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Unknown/Unkn own)
IPS, 5.1(6)E1, Unknown
Stateful Failover Logical Update Statistics
Link : failoverlink Management0/0 (Failed)
Stateful Obj xmit xerr rcv rerr
General 36 0 645 0
sys cmd 36 0 36 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 283 0
UDP conn 0 0 107 0
ARP tbl 0 0 219 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 25 645
Xmit Q: 0 1 36
hello can you tell me my below query...
1> why irs shown me waiting.
2>when my one port is gone down its not working to 2nd asa firewall
what i should change in configuration so i get proper result?
Solved! Go to Solution.
05-20-2010 03:39 AM
No, whichever device is the active firewall, will take over the primary ip address. The standby ip address will be assigned to the standby firewall so that the firewall can check each others interfaces to make sure that they are up. Otherwise, if it detected that the interface is down, it will failover to the other box.
If your primary is down, the secondary will become the active firewall, and it will use the primary ip address.
Since the primary ip address will always be assigned to whichever firewall is active, the default gateway will always be that primary ip address.
Hope that helps.
05-24-2010 05:42 AM
The outside interface on the secondary firewall says failed. I would suggest that you check connectivity, cable, switch port which is connected to the outside interface of the secondary firewall. Make sure that you can ping out from that secondary firewall. Just checking basic interface connectivity, otherwise failover will not work as it checks the status of the interface before it can send keepalive to test the actual interface. If the interface itself is down/failed, then failover will not work.
05-19-2010 09:35 PM
1> why irs shown me waiting ---> it's in waiting state because you have not configured the standby ip address for the standby firewall.
On each of the interface, you would need to configure "standby" ip address, for example:
interface gig0/1
nameif inside
ip address 192.168.40.1 255.255.255.0 standby 192.168.40.2
Once that is configured, under the show failover, you would actually see the ip address assigned to the standby firewall interface.
2>when my one port is gone down its not working to 2nd asa firewall ---> this is because your primary firewall is in failed state.
From the show failover output, you can see that:
Other host: Primary
Group 1 State: Failed
You might want to check why the primary ASA is in failed state.
Hope that helps.
05-20-2010 03:10 AM
Yes, You are right.
Here, I am using managenment interface for failover, Now if i use to stand by IP on primary interface of all Port like outside, inside, Intranet,Inside. So its create two IP on interface.
Now, if my primary firewall down then My secondary firewall working with standby IP. am i right ?
or its working with same Interface IP.
And one more thing i want to aske you that my interface IP is gateway of other device so i have to use two IP for gateway?
05-20-2010 03:39 AM
No, whichever device is the active firewall, will take over the primary ip address. The standby ip address will be assigned to the standby firewall so that the firewall can check each others interfaces to make sure that they are up. Otherwise, if it detected that the interface is down, it will failover to the other box.
If your primary is down, the secondary will become the active firewall, and it will use the primary ip address.
Since the primary ip address will always be assigned to whichever firewall is active, the default gateway will always be that primary ip address.
Hope that helps.
05-20-2010 06:42 AM
Thank for your support,
I had configure standby IP on interface, Now on my outside interface still its shown me fail.
what should i do for remove fail?
after i given IP my secondary ASA is always in fail mode.
and what shold i modify configuration of below firewall?
Primary configuration.........
failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
preempt
replication http
Secondary Configuration....................
failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlink Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standby 2.2.2.3
failover group 1
preempt
replication http
05-20-2010 02:48 PM
Can you please share the output of "show failover" as well as "sh run interface" from both firewall.
05-20-2010 10:04 PM
admin/ASA1# sh failover
Failover On
Last Failover at: 23:14:16 IST May 20 2010
This context: Active
Active time: 40170 (sec)
Interface intranet (10.190.10.1): Normal
Interface outside (50.4.90.6): Normal
Interface dmz (192.168.10.1): Normal
Interface INSIDE (192.168.40.1): Normal
Peer context: Failed
Active time: 3392 (sec)
Interface intranet (10.190.10.4): Normal
Interface outside (50.4.90.50): Failed (Waiting)
Interface dmz (192.168.10.2): Normal
Interface INSIDE (192.168.40.2): Normal
Stateful Failover Logical Update Statistics
Status: Configured.
Stateful Obj xmit xerr rcv rerr
RPC services 0 0 0 0
TCP conn 13883 0 0 0
UDP conn 8631 0 0 0
ARP tbl 22088 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
=================
admin/ASA1# sh run interface
!
interface GigabitEthernet0/0
nameif intranet
security-level 40
ip address 10.190.10.1 255.255.255.0 standby 10.190.10.4
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 59.4.90.6 255.255.255.192
!
interface GigabitEthernet0/2
nameif dmz
security-level 50
ip address 192.168.10.1 255.255.255.0 standby 192.168.10.2
!
interface GigabitEthernet0/3
nameif INSIDE
security-level 100
ip address 192.168.40.1 255.255.255.0 standby 192.168.40.2
========================== system mode ============================================
admin/ASA1# chang sys
ASA1# sh fail
ASA1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failoverlink Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
failover replication http
Version: Ours 8.0(2), Mate 8.0(2)
Group 1 last failover at: 23:14:16 IST May 20 2010
This host: Primary
Group 1 State: Active
Active time: 40196 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
admin Interface intranet (10.190.0.1): Normal
admin Interface outside (59.144.97.62): Normal
admin Interface dmz (192.168.1.1): Normal
admin Interface INSIDE (192.168.4.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
IPS, 5.1(6)E1, Up
Other host: Secondary
Group 1 State: Failed
Active time: 3392 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
admin Interface intranet (10.190.10.4): Normal
admin Interface outside (0.0.0.0): Failed (Waiting)
admin Interface dmz (192.168.10.2): Normal
admin Interface INSIDE (192.168.40.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
IPS, 5.1(6)E1, Up
Stateful Failover Logical Update Statistics
Link : failoverlink Management0/0 (up)
Stateful Obj xmit xerr rcv rerr
General 50018 0 5305 0
sys cmd 5305 0 5305 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 13961 0 0 0
UDP conn 8637 0 0 0
ARP tbl 22115 0 0 0
Xlate_Timeout 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 1 5305
Xmit Q: 0 1 50023
ASA1#
+++++++++++++++++++++++++++++++++++++++
I had configure on ASA1= primary
failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlinl Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standbyip 2.2.2.3
failover group 1
preempt
replication http
On ASA2 = secondary
failover
failover lan unit primary
failover lan interface failoverlink Management0/0
failover link failoverlinl Management0/0
failover interface ip failoverlink 2.2.2.2 255.255.255.0 standbyip 2.2.2.3
failover group 1
preempt
replication http
i had change on ASA2 failover lan unit secondary then its not working and i not able to Ping on my interface.
its will go to stop working.
so if i configure ASA2 with above configuration (i.e failover lan unit primary ) then its working.
If there any nessary change plz tell me.
05-20-2010 10:09 PM
It fails because you have not configure the standby ip address on the outside interface.
You have the following at the moment:
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 59.4.90.6 255.255.255.192 <-------- no standby ip address assigned
Please add a spare ip address from 59.4.90.0/26 subnet as the standby ip address for the outside interface.
05-21-2010 04:02 AM
I had do it.
Show below output..
admin/asa1#sh failover
Group 1 last failover at: 23:14:16 IST May 20 2010
This host: Primary
Group 1 State: Active
Active time: 40196 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
admin Interface intranet (10.190.10.1): Normal
admin Interface outside (59.4.90.6): Normal
admin Interface dmz (192.168.1.1): Normal
admin Interface INSIDE (192.168.4.1): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
IPS, 5.1(6)E1, Up
Other host: Secondary
Group 1 State: Failed
Active time: 3392 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.0(2)) status (Up Sys)
admin Interface intranet (10.190.10.4): Normal
admin Interface outside (59.4.90.45): Failed (Waiting)
admin Interface dmz (192.168.10.2): Normal
admin Interface INSIDE (192.168.40.2): Normal
slot 1: ASA-SSM-20 hw/sw rev (1.0/5.1(6)E1) status (Up/Up)
IPS, 5.1(6)E1, Up
05-21-2010 04:40 PM
On the secondary firewall, it says "admin Interface outside (59.4.90.45): Failed (Waiting)".
Can you check if the outside interface on the secondary firewall is actually plugged into a switch port, and in the same vlan as the primary outside interface?
Please also check if the physical interface has been unshut. Basically just check normal interface connectivity, because as per the failover status, it says the interface failed.
05-21-2010 09:08 PM
Hi,
I had alredy check the status. and if i shutdown 1st ASA then its gone to 2nd ASA and all things are working Fine.
05-22-2010 02:32 AM
hello,
I had check with down 1st ASA fail and then traffic can travel from 2nd ASA.
any other way of solution.
05-22-2010 03:51 AM
Sorry, what do you mean?
What is the status of the failover?
Have you fixed the outside interface of the firewall which is showing failed/down?
05-23-2010 09:33 PM
Sorry, what do you mean?
Means you can also seen that in show failover command output, there is failed. Ok Now but when i fail to 1st ASA then my all traffic going from 2nd firewall. i thing this you understand.
What is the status of the failover?
As per your suggestion i configure on 1st ASA of outside interface with standby IP but still its not shown me normal state. its shown me failed state.
Have you fixed the outside interface of the firewall which is showing failed/down?
No, And i had also check all cable are working fine.
05-24-2010 05:42 AM
The outside interface on the secondary firewall says failed. I would suggest that you check connectivity, cable, switch port which is connected to the outside interface of the secondary firewall. Make sure that you can ping out from that secondary firewall. Just checking basic interface connectivity, otherwise failover will not work as it checks the status of the interface before it can send keepalive to test the actual interface. If the interface itself is down/failed, then failover will not work.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: