Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA 5505 Active Standby Failover Configuration Issue

Hello:

I am trying to setup active/standby failover on a pair of ASA 5505's that have the security plus license on them.  Whenever I enable failover though, they seem to not want to talk to each other and I am at a loss as to why.

In terms of setup of connections, ASA01 port 0/4 connects to Switch01 port 1/0/21 and ASA02 port 0/4 connects to Switch01 port 1/0/22.  For all ports they are set as switchport access and have the appropriate vlan.

From the switch, I can ping the interface on ASA01 but not ASA02.

Attached are the three configuration and some diagnostic configuration printouts.

Can anyone advise on what I am missing to make this work?

Thanks!
Josh

8 REPLIES
VIP Green

What license do you have

What license do you have installed on your ASAs?  You need to have a security plus license for failover to work.

You can also issue the command show failover history to get more info on what is going on.

Have you check the logs to see if there is anything that might point to the issue?

 

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Yes, as I mentioned, I have

Yes, as I mentioned, I have the security plus license on both ASAs.

I am not seeing much in terms of logs which is why I am a little stuck.  From the show failover history on ASA01 I get the following which the 10:07 is roughly when I enabled it again this morning in my testing attempt:

01:19:15 UTC Mar 10 2014
Active                     Disabled                   Set by the config command

10:07:47 UTC Mar 10 2014
Disabled                   Negotiation                Set by the config command

10:08:33 UTC Mar 10 2014
Negotiation                Just Active                No Active unit found

10:08:33 UTC Mar 10 2014
Just Active                Active Drain               No Active unit found

10:08:33 UTC Mar 10 2014
Active Drain               Active Applying Config     No Active unit found

10:08:33 UTC Mar 10 2014
Active Applying Config     Active Config Applied      No Active unit found

10:08:33 UTC Mar 10 2014
Active Config Applied      Active                     No Active unit found

10:47:17 UTC Mar 10 2014
Active                     Disabled                   Set by the config command

==========================================================================

Hi,

Hi,

Actually the secondary Unit looks good in regards to failover:

 

Failover unit Secondary
Failover LAN Interface: FAILOVER_LAN Vlan50 (up)

 

But The primary ASA failover link is still down

 

Failover LAN Interface: FAILOVER_LAN Vlan50 (Failed - No Switchover)

 

Can you check status on the Switch for ports connecting to the ASA, change cables as well.

 

Note: when you ping from the switch the ARP table pointing to the primary ASA IP address belongs to which Firewal. ASA Primary or Secondary?

 

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

That is what I thought too

That is what I thought too Julio, and that is why I got more confused, because the primary (the one showing down) is the only one I *can* ping from the switch....

You can see the interface status in my sw01.txt file attached where I ran a sh int gi1/0/21.  It is showing up/up.  I have also verified by changing the vlan that port accesses and am able to communicate over it, so it isn't a bad cable/port...and I can ping it as noted.

The arp table on the switch for the 10.0.50.1 (primary failover interface ip) shows the mac address of the primary asa vlan 50 interface.  I would think that is as expected then.

So I am at a loss as to why from the switch I can't ping the secondary (unless that makes sense since it hasn't brought up the secondary address since it hasn't joined the primary yet) but it shows link up, yet I can ping the primary but it shows link down.

*Puzzled*.

VIP Green

Remove the failover

Remove the failover configuration.  then set an IP on the failover interface of both ASAs and see if you can ping between them.

 

--

Please remeber to rate and select a correct answer

-- Please remember to rate and select a correct answer
VIP Green

Have you tried changing the

Have you tried changing the cable between the ASAs?

Have you tested connectivity between the ASAs?  set an IP address on the interface and ping between them. Please let me know the results.

 

--

Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

I can ping between the ASAs

I can ping between the ASAs using another interface/vlan.  The failover interface I cannot ping as it seems to not have brought up the addresses yet on the secondary since it hasn't joined the primary.

From the switch I can ping either on an alternate vlan and on the failover vlan I can only ping the primary asa.

New Member

Hi, can you please paste me

Hi,

 

can you please paste me your swtich sh vlan output.

 

it looks like you vlan doesn't exist.

 

 

3855
Views
0
Helpful
8
Replies