ASA 5510 Active/Standby Failover question

Unanswered Question
Aug 11th, 2010
User Badges:

We have a pair of ASA5510  running 7.2 (4) 30 in Active/Standby Failover mode.


We have all interfaces with Primary and Secondary IP Addresses.


All Interfaces on both units are up and working.


There is a single switch between workstations and ASAs. ASAs and switches are configured with OSPF.


I have always been able to get to both "inside" interfaces on the Primary and Secondary ASAs, but I am currently not able to get to the Secondary unit.


When looking at the failover status, I see the Secondary unit has all interfaces as up and normal and ready to become the active unit.


The reason I cannot get to the secondary unit, is that there are no OSPF routes in the route table, only static and connected, and there are no (and never have been) static routes pointing to the inside networks.


All of that routing is handled by OSPF.


I have never looked in the Standby unit to see if there was a fully populated OSPF route table the same as the Primary.


Is there supposed be a functional OSPF route table in the Secondary unit, or is that populated when it becomes the Primary?


I would assume there was because I could get to it before from different vlans.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Nagaraja Thanthry Wed, 08/11/2010 - 14:21
User Badges:
  • Cisco Employee,

Hello,


What you are seeing is normal. The secondary will not have a fully populated

OSPF table until it becomes primary (Dynamic routing protocol information is

not sync'd between primary/secondary).


http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/h...

erview.html#wp1078941


The table in the above link refers to all the components that are sync'd/not

sync'd between the active/standby devices.


Hope this helps.


Regards,


NT

Jon Marshall Wed, 08/11/2010 - 14:31
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Richard


As NT says, this is normal and to be honest one of the disadvantages of running a dynamic routing protocol in active/standby because not only can you sometimes not get to the standby as you have found, but more importantly if the firewall does failover you have to wait for the standby to build it's routing table before it can start forwardng traffic.


Obviously if you can connect from the directly connected vlan you will not need to rely on OSPF not running so you need to telnet to the switch that has the L3 routed interface that is common to the ASA inside interface, if there is one which there probably is.


Jon

Actions

This Discussion