Failover of ASA when interfaces are in waiting state

Unanswered Question
Sep 1st, 2010

Hello Everyone,

I have redundant firewalls on a multicontext active/standby setup. There are only 3 interfaces (inside, dmz, outside) configured using subinterfaces for all contexts. I am getting waiting state on the interfaces when I do "sh failover". Unfortunately at this moment I cannot provide a config of the "sh failover" since I am having access problem due to changeover to TACACS. I will do so in a very short while.

I need to know if it is possible to do forceful failover when the interfaces are in active state. Currently the active firewall is "ACTIVE" and the secondary firewall is "STANDBY READY".

You can see my last post on the same issue -


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andhingr Wed, 09/01/2010 - 17:13

As long as your failover is working fine active/standby you can do the failover. For the interfaces in waiting state you need to check connectivity as it cannot check the standby ip.

- AD

Allen P Chen Wed, 09/01/2010 - 17:12

Do you have standby IP addresses assigned to your interfaces?  This could be a possible reason why your interfaces are in waiting state:

Normal (Waiting)

The interface is up but has not yet received a hello packet from the  corresponding interface on the peer unit. Verify that a standby IP  address has been configured for the interface and that there is  connectivity between the two interfaces.

Also, since you are using subintefaces, did you specify those subinterfaces to be monitored by failover?  By default physical interfaces are monitored, while subinterfaces are not:

By default, monitoring of physical interfaces is enabled and the monitoring of subinterfaces is disabled.  You can enable monitoring for subinterfaces with the command "monitor-interface ":

sidcracker Wed, 09/01/2010 - 17:21

Hi Allen,

In every context I am monitoring the interfaces. The interfaces are being monitored like this

admin context


interface outsideshared
nameif outside
security-level 55
ip address standby
interface dmzadmincontext
nameif dmz
security-level 60
ip address standby
interface insideadmincontext
nameif inside
security-level 100
ip address standby

monitor-interface outside
monitor-interface dmz
monitor-interface inside

customer A context


interface outside
  nameif outside
security-level 0
ip address standby
interface inside
nameif inside
security-level 98
ip address standby

monitor-interface outside
monitor-interface inside

All these interfaces are subinterfaces defined as vlans in the system context. These are configs which I have on my machine (address changes)



This Discussion