activating failover config drops routing table

borisdecout · ‎05-22-2012

I'm attempting to configure two ASA 5520 for active/standby failover.

When I enter the “failover” command to enable the config on the primary ASA, the entire routing table disappears.

There is no routing process running, only static routes are configured.

Is this an expected behavior of the failover process and if so, how long should I wait for the routes to come back?

Is there a document somewhere explaining this behavior?

I’ve searched all day but couldn’t find anything that came close to explain this.

If this is not normal, what could be causing this to happen?

Thanks

Jennifer Halim · ‎05-23-2012

Yes, dynamic routing protocol is supported in Active/Standby failover.

Here is the document to confirm that it is supported:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/route_overview.html#wp1097614

Once you turn on the failover, the configuration will get synchronized between the 2 ASAs. Can you please confirm that the failover is working fine however routing table disappears? To check the failover status: show failover

What version of ASA are you running?

borisdecout · ‎05-23-2012

The ASA are running 8.4.3.

We only use static routes and have no need for Dynamic routing.

The config don't get synchronized as the entire routing table is cleared when failover is turned on, including locally connected interfaces so the primary can't find the standby unit.

Jennifer Halim · ‎05-23-2012

Did you enable failover on both the primary and the secondary ASA?

Can you please send us the output of "show failover" from both ASA before and after enabling the failover.

borisdecout · ‎05-24-2012

Originally, both primary and secondary were configured for failover.

At this point I'm only trying to understand why the rounting table is cleared so the secondary is turned off.

Is it an expected result to have your routing cleared when you enable failover?

I've waited only ~30 seconds for the routes to come back. Maybe I'm not waiting long enough, but I haven't seen in all the documents I've read that lost of traffic should be expected when Failover is enabled.

hfn-asa5520-01# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is 62.117.51.1 to network 0.0.0.0

S    172.26.0.0 255.255.0.0 [1/0] via 172.26.1.252, inside
S    172.26.30.30 255.255.255.255 [1/0] via 62.117.51.1, outside
C    172.26.1.0 255.255.255.0 is directly connected, inside
S    172.26.30.31 255.255.255.255 [1/0] via 62.117.51.1, outside
C    62.117.51.0 255.255.255.0 is directly connected, outside
C    10.1.1.0 255.255.255.0 is directly connected, dmz
S    10.21.21.0 255.255.255.0 [1/0] via 172.26.1.250, inside
C    10.255.255.0 255.255.255.252 is directly connected, Failover
C    192.168.168.0 255.255.255.0 is directly connected, Flora
S*   0.0.0.0 0.0.0.0 [1/0] via 62.117.51.1, outside

hfn-asa5520-01# sh failover

Failover Off

Failover unit Primary

Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 160 maximum

hfn-asa5520-01# sh failover
Failover Off
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
hfn-asa5520-01# conf t
hfn-asa5520-01(config)# failover

hfn-asa5520-01(config)# sh failover

Failover On
Failover unit Primary
Failover LAN Interface: Failover Management0/0 (Failed - No Switchover)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(3), Mate Unknown
Last Failover at: 12:23:12 PDT May 21 2012
        This host: Primary - Negotiation
                Active time: 116 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(3)) status (Up Sys)
                  Interface outside (62.117.51.100): No Link (Waiting)
                  Interface inside (172.26.1.251): No Link (Waiting)
                  Interface dmz (10.1.1.1): No Link (Waiting)
                  Interface Flora (192.168.168.1): No Link (Not-Monitored)
                slot 1: empty
        Other host: Secondary - Not Detected
                Active time: 0 (sec)
                slot 0: empty
                  Interface outside (62.117.51.99): Unknown (Waiting)
                  Interface inside (172.26.1.249): Unknown (Waiting)
                  Interface dmz (10.1.1.2): Unknown (Waiting)
                  Interface Flora (192.168.168.2): Unknown (Not-Monitored)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : Failover Management0/0 (Failed)
        Stateful Obj    xmit       xerr       rcv        rerr
        General         0          0          0          0
        sys cmd         0          0          0          0
        up time         0          0          0          0
        RPC services    0          0          0          0
        TCP conn        0          0          0          0
        UDP conn        0          0          0          0
        ARP tbl         0          0          0          0
        Xlate_Timeout   0          0          0          0
        IPv6 ND tbl     0          0          0          0
        VPN IKEv1 SA    0          0          0          0
        VPN IKEv1 P2    0          0          0          0
        VPN IKEv2 SA    0          0          0          0
        VPN IKEv2 P2    0          0          0          0
        VPN CTCP upd    0          0          0          0
        VPN SDI upd     0          0          0          0
        VPN DHCP upd    0          0          0          0
        SIP Session     0          0          0          0
        Route Session   0          0          0          0
        User-Identity   0          0          0          0

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

hfn-asa5520-01(config)# sh route

Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
       i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
       * - candidate default, U - per-user static route, o - ODR
       P - periodic downloaded static route

Gateway of last resort is not set

C 10.255.255.0 255.255.255.252 is directly connected, Failover
hfn-asa5520-01(config)# no failover

Jennifer Halim · ‎05-24-2012

Looks like the failover LAN interface failed according to the output from show failover.

Since you are using the management interface as the failover lan interface, can you please check if you have turned off "management-only" command on that interface?

Also, you copy the output of show failover twice, so i am not sure if you are copying it by mistake, or it is actually from primary ASA once and the second output was from secondary ASA because both is showing that the unit is Primary unit.