ASA-Failover

nuria.andres · ‎11-21-2006

Hi,

I have 2 Cisco ASA, configuring in failover. In the primary unit, I can see:

his host: Primary - Active

Active time: 3349739 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.203): Normal

Interface inside (172.26.100.200): Normal

Interface dmzisa (192.168.27.100): Normal

Interface management (192.168.29.105): Link Down (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.103/25

CSC SSM, 6.1 (Build#1519), Up

Other host: Secondary - Standby Ready

Active time: 277 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.204): Normal

Interface inside (172.26.100.201): Normal

Interface dmzisa (192.168.27.101): Normal

Interface management (192.168.29.106): Normal (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.104/25

However, the interface management is in shutdown in both ASAs.

On the other hand, in the standby unit, I have:

This host: Secondary - Standby Ready

Active time: 277 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.204): Normal

Interface inside (172.26.100.201): Normal

Interface dmzisa (192.168.27.101): Normal

Interface management (192.168.29.106): Link Down (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.104/25

CSC SSM, 6.1 (Build#1519), Up

Other host: Primary - Active

Active time: 3349581 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.203): Normal

Interface inside (172.26.100.200): Normal

Interface dmzisa (192.168.27.100): Normal

Interface management (192.168.29.105): Link Down (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.103/25

CSC SSM, 6.1 (Build#1519), Up

What is it wrong?.

Best Regards.

Thank you very much

Nuria

a.kiprawih · ‎11-22-2006

This could be a physical connectivity issue.

Do you connect both management ports to active ports? LInk down means no signal is received by ASA from the other end.

Can you post both interface detail status?

HTH

AK

nuria.andres · ‎11-22-2006

In ASA1:

FWASA# sh interface management

Interface Management0/0 "management", is administratively down, line protocol is up

Hardware is i82557, BW 100 Mbps

Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)

MAC address 0018.195b.dee3, MTU 1500

IP address 192.168.29.105, subnet mask 255.255.255.128

8863 packets input, 971812 bytes, 0 no buffer

Received 1149 broadcasts, 0 runts, 0 giants

2 input errors, 0 CRC, 0 frame, 2 overrun, 0 ignored, 0 abort

0 L2 decode drops

17838 packets output, 3923878 bytes, 0 underruns

0 output errors, 144 collisions, 0 interface resets

0 babbles, 0 late collisions, 153 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/128)

output queue (curr/max blocks): hardware (1/16) software (0/1)

Traffic Statistics for "management":

8503 packets input, 826979 bytes

13470 packets output, 3684385 bytes

601 packets dropped

In ASA2:

FWASA# sh interface management

Interface Management0/0 "management", is administratively down, line protocol is up

Hardware is i82557, BW 100 Mbps

Auto-Duplex(Half-duplex), Auto-Speed(100 Mbps)

MAC address 0018.1900.52fa, MTU 1500

IP address 192.168.29.106, subnet mask 255.255.255.128

214 packets input, 7180 bytes, 0 no buffer

Received 63 broadcasts, 0 runts, 0 giants

0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort

0 L2 decode drops

2 packets output, 128 bytes, 0 underruns

0 output errors, 0 collisions, 0 interface resets

0 babbles, 0 late collisions, 0 deferred

0 lost carrier, 0 no carrier

input queue (curr/max blocks): hardware (128/128) software (0/46)

output queue (curr/max blocks): hardware (1/1) software (0/1)

Traffic Statistics for "management":

87 packets input, 5422 bytes

2 packets output, 56 bytes

32 packets dropped

In both ASAs, I have put in shutdown this interface. But in ASA1, when I do "show failover", it appears, as "normal".

Best Regards

Thank you very much

Nuria

a.kiprawih · ‎11-22-2006

Looks like management port is in shutdown state. Can you unshut/enable both interfaces?

This should work.

HTH

AK

nuria.andres · ‎11-22-2006

Yes, they are in shutdown. But I want that those interfaces are in shutdown.

However, in the ASA1, when I do "show failover", this device see "up", the interface management in ASA2. And that thing is wrong. And I don?t know why.

Thank you very much.

a.kiprawih · ‎11-22-2006

Your concerned noted:

Primary unit - sh failover

Interface management (192.168.29.105): Link Down (Not-Monitored)

Interface management (192.168.29.106): Normal (Not-Monitored)

Secondary unit:

Interface management (192.168.29.106): Link Down (Not-Monitored)

Interface management (192.168.29.105): Link Down (Not-Monitored)

Can you post the ASA config, specifically on the interfaces configuration and thw whole failover parameters? A full 'sh failover' will also help.

HTH

AK

nuria.andres · ‎11-22-2006

The interfaces configuration is:

interface GigabitEthernet0/0

nameif outside

security-level 0

ip address 192.168.29.203 255.255.255.128 standby 192.168.29.204

!

interface GigabitEthernet0/1

nameif inside

security-level 100

ip address 172.26.100.200 255.255.255.0 standby 172.26.100.201

!

interface GigabitEthernet0/2

nameif dmzisa

security-level 50

ip address 192.168.27.100 255.255.255.0 standby 192.168.27.101

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

!

interface Management0/0

shutdown

nameif management

security-level 100

ip address 192.168.29.105 255.255.255.128 standby 192.168.29.106

The failover configuration is:

failover

failover lan unit primary

failover lan interface lan_fail GigabitEthernet0/3

failover key *****

failover replication http

failover link lan_fail GigabitEthernet0/3

failover interface ip lan_fail 192.168.31.1 255.255.255.252 standby 192.168.31.2

The "show fail" in ASA1:

ASA# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: lan_fail GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 15 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

failover replication http

Version: Ours 7.1(2), Mate 7.1(2)

Last Failover at: 09:45:58 CEDT Oct 14 2006

This host: Primary - Active

Active time: 3378569 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.203): Normal

Interface inside (172.26.100.200): Normal

Interface dmzisa (192.168.27.100): Normal

Interface management (192.168.29.105): Link Down (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.103/25

CSC SSM, 6.1 (Build#1519), Up

Other host: Secondary - Standby Ready

Active time: 277 (sec)

slot 0: ASA5520 hw/sw rev (1.1/7.1(2)) status (Up Sys)

Interface outside (192.168.29.204): Normal

Interface inside (172.26.100.201): Normal

Interface dmzisa (192.168.27.101): Normal

Interface management (192.168.29.106): Normal (Not-Monitored)

slot 1: ASA-SSM-20 hw/sw rev (1.0/CSC SSM 6.1 (Build#1519)) status (Up/Up)

Logging port IP: 192.168.29.104/25

CSC SSM, 6.1 (Build#1519), Up

Stateful Failover Logical Update Statistics

Link : lan_fail GigabitEthernet0/3 (up)

Stateful Obj xmit xerr rcv rerr

General 138029572 0 440620 29

sys cmd 439273 0 439272 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 68795883 0 0 0

UDP conn 67638101 0 1272 0

ARP tbl 1156315 0 76 29

Xlate_Timeout 0 0 0 0

VPN IKE upd 0 0 0 0

VPN IPSEC upd 0 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 6 440933

Xmit Q: 0 11 141407961

Thank you very much.

Best Regards