Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
64605
Views
15
Helpful
2
Comments

ASA- Interface monitoring in failover and its impact

sokakkar
Cisco Employee
Cisco Employee

‎05-03-2013 05:55 AM - edited ‎03-08-2019 06:49 PM

 

 

Introduction

The purpose of this article is to explain the impact of interface monitoring on ASA failover pair.

 

Here is the documentation which is already available on Cisco.com:

 

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html#wp1079547

 

Failover Triggers

The unit can fail if one of the following events occurs:

The unit has a hardware failure or a power failure.

The unit has a software failure.

Too many monitored interfaces fail.

The no failover active command is entered on the active unit or the failover active command is entered on the standby unit.

 

 

Failover Behavior

 

Failure Event

Policy

Active Action

Standby Action

Notes

Active unit failed (power or hardware)

Failover

n/a

Become active

Mark active as failed

No hello messages are received on any monitored interface or the failover link.

Formerly active unit recovers

No failover

Become standby

No action

None.

Standby unit failed (power or hardware)

No failover

Mark standby as failed

n/a

When the standby unit is marked as failed, then the active unit does not attempt to fail over, even if the interface failure threshold is surpassed.

Failover link failed during operation

No failover

Mark failover interface as failed

Mark failover interface as failed

You should restore the failover link as soon as possible because the unit cannot fail over to the standby unit while the failover link is down.

Failover link failed at startup

No failover

Mark failover interface as failed

Become active

If the failover link is down at startup, both units become active.

Stateful Failover link failed

No failover

No action

No action

State information becomes out of date, and sessions are terminated if a failover occurs.

Interface failure on active unit above threshold

Failover

Mark active as failed

Become active

None.

Interface failure on standby unit above threshold

No failover

No action

Mark standby as failed

When the standby unit is marked as failed, then the active unit does not attempt to fail over even if the interface failure threshold is surpassed.

 

 

Now, following will explain the use of 'monitor-interface' command and its impact on physical and sub-interfaces:

 

If the physical interface is not monitored (using no monitor-interface), ASA won’t failover even if interface goes down (configured with nameif/IP).

 

Here are the recreate results:

 

Details of Recreate

 

E0/2 of ASA named as test with IP 2.2.2.1/30.

E0/2.100 in vlan 100 named sub100 with IP 100.100.100.1/30

E0/2.200 in vlan 200 named sub200 with IP 200.200.200.1/30

 

E0/2 of primary connects to f0/43 on switch

E0/2 of secondary connects to f0/44 on switch

 

 

ASA(config)# sh run int

!

interface Ethernet0/0

nameif outside

security-level 0

ip address 10.10.10.13 255.255.255.0 standby 10.10.10.15

!

interface Ethernet0/1

nameif inside

security-level 100

ip address 20.20.20.13 255.255.255.0 standby 20.20.20.15

!

interface Ethernet0/2

nameif test

security-level 50

ip address 2.2.2.1 255.255.255.252 standby 2.2.2.2

!

interface Ethernet0/2.100

vlan 100

nameif sub100

security-level 0

ip address 100.100.100.1 255.255.255.252 standby 100.100.100.2

!

interface Ethernet0/2.200

vlan 200

nameif sub200

security-level 0

ip address 200.200.200.1 255.255.255.252 standby 200.200.200.2

!

interface Ethernet0/3

description LAN/STATE Failover Interface

!

 

Default: Interface e0/2 (physical) is monitored but sub100 and sub200 are not:

 

ASA(config)# sh run all monitor-interface

monitor-interface outside

monitor-interface inside

monitor-interface test

no monitor-interface sub100

no monitor-interface sub200

 

Failover is healthy:

 

ASA(config)# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: Failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 08:11:54 EDT Mar 29 2013

                This host: Primary - Active

                                Active time: 3781 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.13): Normal (Monitored)

                                  Interface inside (20.20.20.13): Normal (Monitored)

                                  Interface test (2.2.2.1): Normal (Monitored)

                                  Interface sub100 (100.100.100.1): Normal (Not-Monitored)

                                  Interface sub200 (200.200.200.1): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(8)E4) status (Up/Up)

                                  IPS, 7.0(8)E4, Up

                Other host: Secondary - Standby Ready

                                Active time: 0 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.15): Normal (Monitored)

                                  Interface inside (20.20.20.15): Normal (Monitored)

                                  Interface test (2.2.2.2): Normal (Monitored)

                                  Interface sub100 (100.100.100.2): Normal (Not-Monitored)

                                  Interface sub200 (200.200.200.2): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(6)E4) status (Up/Up)

                                  IPS, 7.1(6)E4, Up

 

Stateful Failover Logical Update Statistics

                Link : Failover Ethernet0/3 (up)

 

---Output Ommitted--

 

I shutdown f0/43 on switch:

 

interface f0/43

shut

 

Got kicked out as ASA failed over: Expected

 

ASA(config)# login as: cisco

cisco@20.20.20.13's password:

Type help or '?' for a list of available commands.

 

ASA> en

Password: *****

 

ASA# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: Failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 22:56:29 EDT Mar 26 2013

                This host: Secondary - Active

                                Active time: 37 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.13): Normal (Monitored)

                                  Interface inside (20.20.20.13): Normal (Monitored)

                                  Interface test (2.2.2.1): Normal (Waiting)

                                  Interface sub100 (100.100.100.1): Normal (Not-Monitored)

                                  Interface sub200 (200.200.200.1): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(6)E4) status (Up/Up)

                                  IPS, 7.1(6)E4, Up

                Other host: Primary - Failed

                                Active time: 3807 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.15): Normal (Waiting)

                                  Interface inside (20.20.20.15): Normal (Waiting)

                                  Interface test (2.2.2.2): No Link (Waiting)

                                  Interface sub100 (100.100.100.2): Normal (Not-Monitored)

                                  Interface sub200 (200.200.200.2): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(8)E4) status (Up/Up)

                                  IPS, 7.0(8)E4, Up

 

Stateful Failover Logical Update Statistics

                Link : Failover Ethernet0/3 (up)

 

                ---Output Ommitted--

 

ASA(config)# sh run all monitor-interface

monitor-interface outside

monitor-interface inside

monitor-interface test

no monitor-interface sub100

no monitor-interface sub200

 

Now, I disable monitoring on physical interface as follows:

 

ASA(config)# no monitor-interface test

 

ASA(config)# sh run all monitor-interface

monitor-interface outside

monitor-interface inside

no monitor-interface test

no monitor-interface sub100

no monitor-interface sub200

 

I do no shut on f0/43 shut down f0/44 (to bring e0/2 on secondary-active down) on switch:

 

interface f0/43

no shut

interface f0/44

shut

 

Link goes down on Secondary-active but failover is *not* triggered: Expected

 

ASA(config)# sh fail

Failover On

Failover unit Secondary

Failover LAN Interface: Failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 2 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 22:56:29 EDT Mar 26 2013

                This host: Secondary - Active

                                Active time: 115 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.13): Normal (Monitored)

                                  Interface inside (20.20.20.13): Normal (Monitored)

                                  Interface test (2.2.2.1): No Link (Not-Monitored)

                                  Interface sub100 (100.100.100.1): No Link (Not-Monitored)

                                  Interface sub200 (200.200.200.1): No Link (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(6)E4) status (Up/Up)

                                  IPS, 7.1(6)E4, Up

                Other host: Primary - Standby Ready

                                Active time: 3807 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.15): Normal (Monitored)

                                  Interface inside (20.20.20.15): Normal (Monitored)

                                  Interface test (2.2.2.2): Normal (Not-Monitored)

                                  Interface sub100 (100.100.100.2): Normal (Not-Monitored)

                                  Interface sub200 (200.200.200.2): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(8)E4) status (Up/Up)

                                  IPS, 7.0(8)E4, Up

 

Stateful Failover Logical Update Statistics

                Link : Failover Ethernet0/3 (up)

 

---Output Ommitted--

 

ASA(config)# sh run all monitor-interface

monitor-interface outside

monitor-interface inside

no monitor-interface test

no monitor-interface sub100

no monitor-interface sub200

 

I enabled monitoring on sub100, keeping monitoring disabled on test (physical interface):

 

ASA(config)# monitor-interface sub100

 

ASA# sh run all monitor-interface

monitor-interface outside

monitor-interface inside

no monitor-interface test

monitor-interface sub100

no monitor-interface sub200

 

Now, I shut down f0/44 again to bring e0/2 link of secondary-active down and as expected failover is triggered:

 

ASA(config)# login as: cisco

cisco@20.20.20.13's password:

Type help or '?' for a list of available commands.

 

ASA> en

Password: *****

 

ASA# sh fail

Failover On

Failover unit Primary

Failover LAN Interface: Failover Ethernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 110 maximum

Version: Ours 8.2(5), Mate 8.2(5)

Last Failover at: 09:17:38 EDT Mar 29 2013

                This host: Primary - Active

                                Active time: 3857 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.13): Normal (Monitored)

                                  Interface inside (20.20.20.13): Normal (Monitored)

                                  Interface test (2.2.2.1): No Link (Not-Monitored)

                                  Interface sub100 (100.100.100.1): No Link (Waiting)

                                  Interface sub200 (200.200.200.1): No Link (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.0(8)E4) status (Up/Up)

                                  IPS, 7.0(8)E4, Up

                Other host: Secondary - Standby Ready

                                Active time: 137 (sec)

                                slot 0: ASA5510 hw/sw rev (1.1/8.2(5)) status (Up Sys)

                                  Interface outside (10.10.10.15): Normal (Monitored)

                                  Interface inside (20.20.20.15): Normal (Monitored)

                                  Interface test (2.2.2.2): Normal (Not-Monitored)

                                  Interface sub100 (100.100.100.2): Unknown (Waiting)

                                  Interface sub200 (200.200.200.2): Normal (Not-Monitored)

                                slot 1: ASA-SSM-10 hw/sw rev (1.0/7.1(6)E4) status (Up/Up)

                                  IPS, 7.1(6)E4, Up

 

Stateful Failover Logical Update Statistics

                Link : Failover Ethernet0/3 (up)

 

---Output Ommitted--

 

Thus, if interface is not monitored using 'no monitor-interface' command. ASA won't failover even if physical interface goes down.

 

For failover to occur:

 

- Physical interface should be monoitored.

- If not, one of the logical interface configured using this physical interface should be monitored.

 

Reference

 

Here is the documentation which is already available on Cisco.com:

 

Failover Triggers

 

-

Sourav Kakkar

Labels:
Comments
DM27
Level 1
Level 1
‎11-17-2017 09:58 PM

Hey Guys,
I have a query. Suppose if failover cable is broken and there is no communication between Active and Standby, so in this case Active will remain Active and Standby will also become active (As no active unit found in the failover group) , so both units are now active. Do you have idea how to resolve this situation? (Restore failover interface is one option, I am looking for any other option).
Early response is highly appreciated.
Thanks

alexk1041
Level 1
Level 1
‎03-04-2019 03:26 AM

I actually have the same question, even with a switch in between. Whats best practice when it comes to monitoring the failover interface? Because if the whole switch in between dies, then both members will go to standby (split brain scenario). I assume if both firewalls are directly connected, if you dont monitor (to avoid split brain even for an interface going down), you need to have at least some kind of syslog/snmp alert for finding out the interface going down?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents