Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1265
Views
10
Helpful
2
Replies

ASA 5510 Active/Standby Failover question

wilson_1234_2
Level 3
Level 3

‎08-11-2010 01:54 PM - edited ‎03-11-2019 11:24 AM

We have a pair of ASA5510  running 7.2 (4) 30 in Active/Standby Failover mode.

We have all interfaces with Primary and Secondary IP Addresses.

All Interfaces on both units are up and working.

There is a single switch between workstations and ASAs. ASAs and switches are configured with OSPF.

I have always been able to get to both "inside" interfaces on the Primary and Secondary ASAs, but I am currently not able to get to the Secondary unit.

When looking at the failover status, I see the Secondary unit has all interfaces as up and normal and ready to become the active unit.

The reason I cannot get to the secondary unit, is that there are no OSPF routes in the route table, only static and connected, and there are no (and never have been) static routes pointing to the inside networks.

All of that routing is handled by OSPF.

I have never looked in the Standby unit to see if there was a fully populated OSPF route table the same as the Primary.

Is there supposed be a functional OSPF route table in the Secondary unit, or is that populated when it becomes the Primary?

I would assume there was because I could get to it before from different vlans.

Labels:
0 Helpful
2 Replies 2

Nagaraja Thanthry
Cisco Employee
Cisco Employee

‎08-11-2010 02:21 PM

Hello,

What you are seeing is normal. The secondary will not have a fully populated

OSPF table until it becomes primary (Dynamic routing protocol information is

not sync'd between primary/secondary).

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_ov

erview.html#wp1078941

The table in the above link refers to all the components that are sync'd/not

sync'd between the active/standby devices.

Hope this helps.

Regards,

NT

Jon Marshall
Hall of Fame
Hall of Fame

‎08-11-2010 02:31 PM

Richard

As NT says, this is normal and to be honest one of the disadvantages of running a dynamic routing protocol in active/standby because not only can you sometimes not get to the standby as you have found, but more importantly if the firewall does failover you have to wait for the standby to build it's routing table before it can start forwardng traffic.

Obviously if you can connect from the directly connected vlan you will not need to rely on OSPF not running so you need to telnet to the switch that has the L3 routed interface that is common to the ASA inside interface, if there is one which there probably is.

Jon

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card