Re: Active/standby at standby ASA fail

teymur azimov · ‎06-29-2012

Hi Dears.

the ASA1 is active then the second ASA is standby mode but after 1 minute the the second asa is failed.

is this config cause this problem?

1.i want to know that in failover of ASA 5520

can we use management interfase as a failover pair?

interface Management0/0

no nameif

no security-level

no ip address

!

interface Management0/0.901

vlan 901

nameif DMZ2

security-level 51

ip address 10.0.91.1 255.255.255.0 standby 10.0.91.2 interface Management0/0
no nameif
no security-level
no ip address
!

2. can i do this configuration at failover???

nterface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.10.156 255.255.255.0 standby 192.168.10.157

!

interface Ethernet0/2.903

vlan 903

nameif inside2

security-level 75

ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2nterface Ethernet0/2

Christopher Bell · ‎06-29-2012

1. At the very least, you need to have a similar statement in your failover config:

failover link lan_failover Management0/0

I'm pretty sure you also you also need to remove the nameif command and pake sure that the link between the two ASAs is a segragated layer 2 network that nothing else sits on. Also, why are you trunking it?

2. The configuration between the two ASAs is sync'd. However you have it configured on the primary FW will be how it comes up on the secondary. You can't have the configration change (at least not that I know of) because of an event that caused failover.

Does that help?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

alejands · ‎06-29-2012

Hello,

1, You can use the management interface for Failover, is it not that recomended.

Also failover can't be configure on shared physical intefaces.

You can do it with subinterfaces but with a dedicated phisical interface

For you to use this you need the command:

no management-only

to set it up as a normal interface and setup the failover link/state on it.

2, The Primary unit will replicate the configuration to the secondary unit, all changes should be made on the primary unit.

Every change you make on the secondary will not replicate to primary and everytime you save configuration on the primary will replicate to secondary.

This been said,

interface Ethernet0/2.903

vlan 903

nameif inside2

security-level 75

ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2 interface Ethernet0/2

this will replicate to secondary and create:

interface Ethernet0/2.903

vlan 903

nameif inside2

security-level 75

and will only take:

ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2 not the part

interface Ethernet0/2.

Let me know if you have any other questions.

Regards.

Christopher Bell · ‎06-29-2012

"Also failover can't be configure on shared physical intefaces."

Isn't that what you are doing when you create a subinterface on a physical interface? Have you tried it w/o the subinterface?

Also, do you have a command similar to:

failover link lan_failover Management0/0

in your config?

If this posts answers your question or is helpful, please consider rating it and/or marking as answered.

alejands · ‎06-29-2012

You need a dedicated physycal interface for failover, it can me done with subinterfaces, but not with a shared physical interface with data across that interface like:

interface Management0/0

no nameif

no security-level

no ip address

!

interface Management0/0.901

vlan 901

nameif DMZ2

security-level 51

ip address 10.0.91.1 255.255.255.0 standby 10.0.91.2 interface Management0/0

no nameif

no security-level

no ip address

If this inteface is use for data and wanted to use the failover link on this one as well it will not take it with the error:

ERROR: Can not configure failover interface on a shared physical interface

If this interface is use for DMZ2 for traffic it can't be shared with the failver link, it needs a dedicaded interface.

This is what: "failover can't be configure on shared physical intefaces" means.

Thanks

teymur azimov · ‎07-01-2012

Hi Dears

i understand that i must do this configure:

1. config: failover link lan_failover Management0/0

2. erase this:

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.10.156 255.255.255.0 standby 192.168.10.157

and create it at subinterface:

interface Ethetnet0/2.904

vlan 904

nameif inside

security-level 100

ip address 192.168.10.156 255.255.255.0 standby 192.168.10.157

please write me what i must be modified at my configuration.

teymur azimov · ‎07-01-2012

this is config of failover part.

interface Ethernet0/3

description LAN/STATE Failover Interface

interface Ethernet0/3

description LAN/STATE Failover Interface

failover

failover lan unit primary

failover lan interface failover Ethernet0/3

failover link failover Ethernet0/3

failover interface ip failover 172.30.30.1 255.255.255.0 standby 172.30.30.2

teymur azimov · ‎07-01-2012

if i add this command failover link lan_failover Management0/0 this mean that: management 0/0 carries the stateful info but i do not want that. as you see at my config the management interface carry the dmz zone data. i must be write this:no management-only. am i rigth?

interface Management0/0.901

vlan 901

nameif DMZ2

security-level 51

ip address 10.0.91.1 255.255.255.0 standby 10.0.91.2 interface Management0/0

alejands · ‎07-02-2012

If the management carries the DMZ2 data, this interface can't be configure for failover.

Failover needs a dedicated phisical interface.

You can't configure it in a shared phisical interface with already data on it.

teymur azimov · ‎07-02-2012

DEAR i want to know. is this config correct?

interface Ethernet0/2

nameif inside

security-level 100

ip address 192.168.10.156 255.255.255.0 standby 192.168.10.157

!

interface Ethernet0/2.903

vlan 903

nameif inside2

security-level 75

ip address 10.0.93.1 255.255.255.0 standby 10.0.93.2

alejands · ‎07-03-2012

Yes you can do that configuration.

The ASA will take it

alejands · ‎07-10-2012

Hello

Was this helpfull for you?

Regards