Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5515 Failover: Interface Unknow (Waiting)

Hi all,

I have two ASA 5515 configured as active / standby.

I configured the failover and I checked for proper operation. But when I configured access rules and NAT, I realized that the failover does not work anymore: two interfaces, inside and outside, are "Unknow (Waiting)". The other LAN interface and management are "Normal (Monitored)."

Here is the show failover command output.

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 114 maximum

failover replication http

Version: Ours 8.6(1), Mate 8.6(1)

Last Failover at: 13:35:07 CEDT Aug 10 2012

        This host: Primary - Active

                Active time: 241180 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys

                  Interface Internal (192.168.10.251): Unknown (Waiti

                  Interface WAN-Infostrada (151.14.163.181): Unknown

                  Interface Radio (193.168.1.148): Normal (Waiting)

                  Interface management (192.168.1.1): Normal (Monitor

                slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive

        Other host: Secondary - Standby Ready

                Active time: 443 (sec)

                slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys

                  Interface Internal (0.0.0.0): Unknown (Waiting)

                  Interface WAN-Infostrada (0.0.0.0): Unknown (Waitin

                  Interface Radio (0.0.0.0): Unknown (Waiting)

                  Interface management (0.0.0.0): Normal (Monitored)

                slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive

Stateful Failover Logical Update Statistics

        Link : Failover GigabitEthernet0/5 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         9319463    0          46801      1

        sys cmd         32215      0          32215      0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        1977416    0          2878       1

        UDP conn        4913767    0          6891       0

        ARP tbl         2396065    0          4817       0

        Xlate_Timeout   0          0          0          0

        IPv6 ND tbl     0          0          0          0

        VPN IKEv1 SA    0          0          0          0

        VPN IKEv1 P2    0          0          0          0

        VPN IKEv2 SA    0          0          0          0

        VPN IKEv2 P2    0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Route Session   0          0          0          0

        User-Identity   0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       19      47330

        Xmit Q:         0       30      9602866

It is possible that some access rule deny the communication between the two asa?

What other reason could I try?

Thanks in advance for your answer

1 ACCEPTED SOLUTION

Accepted Solutions

ASA 5515 Failover: Interface Unknow (Waiting)

Hi Bro

I believe there are 3 reasons as to why you've facing this issue

a) you standby ip address configuration is all wrong.

b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.

If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
10 REPLIES

ASA 5515 Failover: Interface Unknow (Waiting)

Hi Bro

I believe there are 3 reasons as to why you've facing this issue

a) you standby ip address configuration is all wrong.

b) both the lan switches connected to the various interfaces you've mentioned above, perhaps not configured properly.

If you could paste your latest config here, and a physical diagram of the FWs and switches, I guess everyone here can help

Warm regards, Ramraj Sivagnanam Sivajanam Technical Specialist/Service Delivery Manager – Managed Service Department
VIP Purple

ASA 5515 Failover: Interface Unknow (Waiting)

NAT and ACLs don't have any influence on the failover-functionality. Have you configured the standby-ip-addresses in the interface-config? And paste at least the interface-configs and the output of "show run failover".

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: ASA 5515 Failover: Interface Unknow (Waiting)

When I performed the tests I didn't configured the secondary ip on any interface and the failover worked.

I  configured the failover interface using the same dedicated interface  for "LAN Failover" and "State Failover" (connected with a Crossover  Cable).

Here is the diagram of connections.

This is the result of the sh run failover:

failover

failover lan unit primary

failover lan interface Failover GigabitEthernet0/5

failover key *****

failover replication http

failover link Failover GigabitEthernet0/5

failover interface ip Failover 172.16.254.1 255.255.255.0 standby 172.16.254.2

This is the result of the sh run interface:

interface GigabitEthernet0/0

nameif Internal

security-level 100

ip address 192.168.10.251 255.255.255.0

!

interface GigabitEthernet0/1

nameif WAN-Infostrada

security-level 0

ip address

!

interface GigabitEthernet0/2

nameif Radio

security-level 50

ip address 193.168.1.148 255.255.255.0

!

interface GigabitEthernet0/3

shutdown

no nameif

security-level 0

no ip address

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

no ip address

!

interface GigabitEthernet0/5

description LAN/STATE Failover Interface

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

The management interface and the interface named "Radio" don't have a secondary ip but the status is "Normal".

I  try to configure a secondary IP on all interfaces? For the internal  interface there isn't problem, but the WAN interface has configured  public ip, how do I set a secondary ip on this interface?

Cisco Employee

Re: ASA 5515 Failover: Interface Unknow (Waiting)

If you dont have a secondary IP from the ISP, you can leave it as it is. Failover will work properly unless you are using dynamic routing protocol on the ASA. Regarding the Unknown State, it is normal becuase the other ASA does not have an IP address to source the failover packets from.

Hope that helps

Zubair

Community Member

Re: ASA 5515 Failover: Interface Unknow (Waiting)

Dear ,

   when your turn on failover on ASA devices , by default it montior all physical  interface

By default, monitoring physical interfaces is enabled and monitoring subinterfaces is disabled.

Monitored failover interfaces can have the following status:

Unknown—Initial status. This status can also mean the status cannot be determined.

Normal—The interface is receiving traffic.

Testing—Hello messages are not heard on the interface for five poll times.

Link Down—The interface or VLAN is administratively down.

No Link—The physical link for the interface is down.

Failed—No traffic is received on the interface, yet traffic is heard on the peer interface

to disable montoring on specific interface , you can configure below command on your asa device

syntax

no monitor-interface if_name

over our scenario : no monitor-interface WAN-Infostrada

look into below link for more detail

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_active_standby.html

HTH

Thks

Santhosh Sarav

HTH Regards Santhosh Saravanan
Community Member

Re: ASA 5515 Failover: Interface Unknow (Waiting)

Thanks to all.

I'm trying to free the ip that I need.

Why the management interface and the interface "Radio" are normal even without the secondary IP?

Community Member

Re: ASA 5515 Failover: Interface Unknow (Waiting)

I put the secondary IP on the internal and management. Now are Normal (Monitored).

Here is the output of sh failover.

Failover On

Failover unit Primary

Failover LAN Interface: Failover GigabitEthernet0/5 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 114 maximum

failover replication http

Version: Ours 8.6(1), Mate 8.6(1)

Last Failover at: 13:35:07 CEDT Aug 10 2012

    This host: Primary - Active

        Active time: 319708 (sec)

        slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)

          Interface Internal (192.168.10.251): Normal (Monitored)

          Interface WAN-Infostrada (151.X.X.X): Normal (Waiting)   //here is the correct ip

          Interface Radio (193.168.1.148): Normal (Waiting)

          Interface management (192.168.1.1): Normal (Monitored)

        slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)

    Other host: Secondary - Standby Ready

        Active time: 443 (sec)

        slot 0: ASA5515 hw/sw rev (1.0/8.6(1)) status (Up Sys)

          Interface Internal (192.168.10.252): Normal (Monitored)

          Interface WAN-Infostrada (0.0.0.0): Normal (Waiting)

          Interface Radio (0.0.0.0): Normal (Waiting)

          Interface management (192.168.1.2): Normal (Monitored)

        slot 1: IPS5515 hw/sw rev (N/A/) status (Unresponsive/Up)

After disabling and re-enabled WAN interfaces and Radio are their "Normal (Waiting)".

What can I do to the interface where I can not put a secondary ip (WAN and Radio)?

VIP Purple

ASA 5515 Failover: Interface Unknow (Waiting)

What can I do to the interface where I can not put a secondary ip (WAN and Radio)?

just leave it that way. Failover will still work, but you won't detect link-problems between your two ASAs on that particular interface.

-- 
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Community Member

Re: ASA 5515 Failover: Interface Unknow (Waiting)

I did some tests and everything works great!

Unfortunately I can not monitor the status of the WAN interface because I can not set a secondary ip.

Thanks to all.

Community Member

dear friend.

dear friend.

ok i understand , but its works fine without configurin stn bye ip add too right ??

whtas the benefit to put stand by address ??

8497
Views
0
Helpful
10
Replies
CreatePlease to create content