asa failover

Answered Question
Aug 5th, 2010
User Badges:

Hi,


I have just taken over the manangement of this.  From what i understand failover has never been tested but the config looks right. I was hoping someone could take a look and confirm my thought.


interface GigabitEthernet0/0
nameif External-AN
security-level 0
ip address xx.xx.xx.xx  255.255.255.192 standby xx.xx.xx.xx
interface GigabitEthernet0/1
description LAN/STATE Failover Interface
!
interface GigabitEthernet0/2
nameif Internal-Subnet20
security-level 100
ip address 192.168.20.1 255.255.255.0 standby 192.168.20.2
!
interface GigabitEthernet0/3
nameif Internal-Subnet5
security-level 100
ip address 192.168.5.1 255.255.255.0 standby 192.168.5.2




fw1# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 04:56:27 EDT May 3 2010
        This host: Secondary - Active
                Active time: 8043993 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface External-AN (xx.xx.xx.xx): Normal
                  Interface Internal-Subnet20 (192.168.20.1): Normal
                  Interface Internal-Subnet5 (192.168.5.1): Normal
                  Interface management (0.0.0.0): Link Down (Not-Monitored)
                slot 1: empty
        Other host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface External-AN (xx.xx.xx.xx): Normal
                  Interface Internal-Subnet20 (192.168.20.2): Normal
                  Interface Internal-Subnet5 (192.168.5.2): Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                slot 1: empty


Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         36833939   0          3541299    3
        sys cmd         1278322    0          1278322    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        20760464   0          759190     1
        UDP conn        12738239   0          1267238    2
        ARP tbl         2048444    0          236063     0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     1756       0          154        0
        VPN IPSEC upd   6684       0          332        0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     30         0          0          0


        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       17      7292769
        Xmit Q:         0       883     64098245



fw1# sh failover interface
        interface failover GigabitEthernet0/1
                System IP Address: 10.10.10.1 255.255.255.252
                My IP Address    : 10.10.10.2
                Other IP Address : 10.10.10.1


failover lan unit secondary
failover lan interface failover GigabitEthernet0/1
failover replication http
failover link failover GigabitEthernet0/1
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2



============================================================================


primary (currently not active)


fw1# sh fail
fw1# sh failover
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
failover replication http
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 12:16:06 EDT May 3 2010
        This host: Primary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface External-AN (xx.xx.xx.xx): Normal
                  Interface Internal-Subnet20 (192.168.20.2): Normal
                  Interface Internal-Subnet5 (192.168.5.2): Normal
                  Interface management (0.0.0.0): Link Down (Not-Monitored)
                slot 1: empty
        Other host: Secondary - Active
                Active time: 8044637 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.2(1)) status (Up Sys)
                  Interface External-AN (xx.xx.xx.xx): Normal
                  Interface Internal-Subnet20 (192.168.20.1): Normal
                  Interface Internal-Subnet5 (192.168.5.1): Normal
                  Interface management (0.0.0.0): Normal (Not-Monitored)
                slot 1: empty


Stateful Failover Logical Update Statistics
        Link : failover GigabitEthernet0/1 (up)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         1072438    0          27627703   266
        sys cmd         1072438    0          1072438    0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          15031811   213
        UDP conn        0          0          9467080    53
        ARP tbl         0          0          2048569    0
        Xlate_Timeout   0          0          0          0
        VPN IKE upd     0          0          1756       0
        VPN IPSEC upd   0          0          6019       0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          30         0


        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       30      54896706
        Xmit Q:         0       1       1072438
fw1#





fw1# sh failover interface
        interface failover GigabitEthernet0/1
                System IP Address: 10.10.10.1 255.255.255.252
                My IP Address    : 10.10.10.1
                Other IP Address : 10.10.10.2


firewall conf



failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/1
failover replication http
failover link failover GigabitEthernet0/1
failover interface ip failover 10.10.10.1 255.255.255.252 standby 10.10.10.2

Correct Answer by Jon Marshall about 6 years 8 months ago

Yes, looks fine to me and failover must have worked at least once as the active firewall is now the standby.


One point though, when posting configs, outputs from devices if they contain public IPs can you blank them out eg. xx.xx.xx.xx


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
Jon Marshall Thu, 08/05/2010 - 09:38
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes, looks fine to me and failover must have worked at least once as the active firewall is now the standby.


One point though, when posting configs, outputs from devices if they contain public IPs can you blank them out eg. xx.xx.xx.xx


Jon

Actions

This Discussion

Related Content