Reg. failover query

Answered Question
Aug 3rd, 2010

Hi halijenn / experts

I have a query related to failover and want to know as to what exactly is the advantage of using the switch between the 2 devices . If i am using cross over cable for the failover interfaces , i can understand that if cable is bad or any of the asa failover interface ports is faulty , it may lead to communication failure . Hence what is the advantage of using a switch in place of cross over cables

I have this problem too.
0 votes
Correct Answer by Kureli Sankar about 6 years 3 months ago

Nope. Shouldn't be any disruption.

-KS

Correct Answer by Magnus Mortensen about 6 years 4 months ago

Ankurs,      With a switch in the middle, a failure of one interface will not affect the peer's interface (will still stay up). It is advised to use a switch for this reason.   In your example, a failure of Fa0/2 will not impact Fa0/3 by design. A switch will have zero impact on config replication performance or any replication of connections etc.    - Magnus

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
mirober2 Tue, 08/03/2010 - 05:56

Hello,

This comes from the failover configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html

When you use a crossover cable for the LAN failover link, if the LAN interface fails, the link is brought down on both peers. This condition may hamper troubleshooting efforts because you cannot easily determine which interface failed and caused the link to come down.

Hope that helps.

-Mike

ankurs2008 Tue, 08/03/2010 - 14:25

Hi Mike

I have already gone through the document .I want to know if connectivity between the failover links is via switch and if any 1 of the switch port (to which the other end of the ASA failover interface cable is connected) goes down , will the link on the other ASA be up or will it show down ?

ASA1 (F/O Interface - Gig 0/3) ====Fa0/2 --(Switch) --Fa0/3======(F/O Interface - Gig 0/3) ASA2

Consider ASA 1 is acting as Primary (currently Active ) and ASA 2 is Secondary (Currently Standby) .If the corresponding switchport of the ASA 1 Firewall i.e Fa0/2 goes faulty then whether the link on the ASA 2 will keep on showing up or down ?

In addition to that what are the other advantages of the keeping the switch ? Also by keeping switch in between is there any delay in the configuration replication from Active to Standby ?

Correct Answer
Magnus Mortensen Tue, 08/03/2010 - 14:49

Ankurs,      With a switch in the middle, a failure of one interface will not affect the peer's interface (will still stay up). It is advised to use a switch for this reason.   In your example, a failure of Fa0/2 will not impact Fa0/3 by design. A switch will have zero impact on config replication performance or any replication of connections etc.    - Magnus

ankurs2008 Tue, 08/03/2010 - 19:56

Hi Magnus

thanks a ton ! i want to ask one more thing in context to this

1) With cross over cable between 2 failover links

If any one of the ASA failover interface is down , the failover link is brought down . Hence due to this there will be no failover as the failover link is the one thru which heartbeats are send across .Hence both the firewalls will remain in the state in which they are in , currently .Please correct me if i am wrong

2) With switch between 2 failover links

If any of the ASA failover interface is down , the firewall with the healthy failover interface will start the interface tests .

Let me know if my understanding is correct

Magnus Mortensen Tue, 08/03/2010 - 20:56

Ankurs,

     The key to understanding failover is that we only change from STANDBY to ACTIVE if we determine we are 'healthier' that the peer. Device health is comprised of interface statuses (up and functional) and device health (firewall up/down) and also module health (If you have an IPS or CSC module).

There is a great document online that shows the different failover scenarios:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#actio

Here is the relevant chunk:

Failover link failed within operation

No failover

Mark failover interface as failed

Mark failover interface as failed

You must restore the failover link as soon as possible because                    the unit cannot failover to the standby unit while the failover link is                    down.

- Magnus

ankurs2008 Wed, 08/04/2010 - 03:41

Hi Magnus

Thanks for the reply . However over here my prime focus is still the difference between using cross cable and switch for the failover , hence my previous question . I want to confirm that while using switch (if any of the failover interface fails ) , then the next step is obviously the interface checks so that the healthy firewall can determine whether its peer is reachable or not . But if we use cross over cable , the step of interface checking never happens as failover links are the one who send heartbeats and if both of them will show as failed ( scenario 1 - cross over cable  ) , the process of failover will never initiate and we need to work upon rectifying the issue and making both the interfaces functional .

So basically with the above query in my mind , i am trying to make myself convince as to what i am thinking is right , Please share your thoughts .

Also i believe with the scenario 1 ( cross over cable ) , when both failover links fail ; there will be no disruption of the network traffic flow . right ?

ankurs2008 Fri, 08/06/2010 - 01:56

Hi Magnus

Please let me know if my understanding is right . thanks !

Kureli Sankar Sun, 08/08/2010 - 06:45

Ankur,

Your understanding is partially correct.

1. cross over cable - as you understood is not a good idea. Connection via a switch is the way to go.

2. when failover cable breaks  and along with that primary/act untit loses interfaces - secondary unit should take over if it has more interfaces up than the primary/act. This is resolved with thi: http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw37519

CSCsw37519    ENH Failover ability to switchover if FO LAN communication is severed

Symptom:
This is an ENHANCEMENT request only.

This enhancement request is to modify the behavior of failover, such that
if the LAN interface communication is severed, then the ASAs will attempt
to detect if only the LAN interface has an issue, or if other interfaces are
detected, and then make it's failover decision at that point.

Conditions:
Active/Standby Failover, where the LAN communication is severed, causing
the Active unit to remain Active, but additional interfaces on the Active unit
also failed, causing traffic to be black-holed, as no switchover took place.

Workaround:
Configure Redundant interfaces for the LAN Failover interface -
taking different paths to reach the two ASAs.

-KS
ankurs2008 Tue, 08/10/2010 - 03:16

Hi kusankar

thanks for the reply ; however i am not sure as to if this is the answer i am looking for , though it is definitely informative .

1) With the below scenario , when one Failover LAN Interface fails (say Gig0/3 of the ASA1 which is Prim/Act) , both failover links will show down  .In this case whether there will be disruption of the network traffic flow or not ? (as we know that according to cisco doc both will continue to remain designated to their current positions and no failover will happen )

ASA1 (F/O Interface - Gig 0/3) ====CROSS CABLE======(F/O Interface - Gig 0/3) ASA2

2) If the LAN Failover Interface communication among 2 ASA 's fail (and data interfaces of these ASA are fine and up ) , there is no switchover  Does the enhancement for the below bug is trying to tell that inspite of the LAN failover interface being down on any one of the ASA  (and then failover links Gig 0/3 brought down for both ASA) ,  failover should take place ? 

Kureli Sankar Wed, 08/11/2010 - 04:08

Ankur,

1) With the below scenario , when one Failover LAN Interface fails (say Gig0/3 of the ASA1 which is Prim/Act) , both failover links will show down  .In this case whether there will be disruption of the network traffic flow or not ? (as we know that according to cisco doc both will continue to remain designated to their current positions and no failover will happen )

ASA1 (F/O Interface - Gig 0/3) ====CROSS CABLE======(F/O Interface - Gig 0/3) ASA2

Correct. Unless the primary active unit loses more interfaces than the sec/standby in which case there will be a failover as the standby unit will be deemed healthier than the active.

2. You understood the ENH defect correctly.

-KS

ankurs2008 Wed, 08/11/2010 - 06:31

thanks a ton !!! in the case 1 , whether there will be disruption of the network traffic flow or not ?

Actions

This Discussion