Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
610
Views
0
Helpful
2
Replies

ASA Active/Standby Config Issues

Cisco4Life
Level 1
Level 1

‎04-05-2011 08:41 AM - edited ‎03-11-2019 01:17 PM

I followed the document from Cisco (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas) and it seems I have a partial configured ASA in the active/standby.  Both ASA are identical except the primary has a expired ASA-SSM-10 card in the slot.

Here is the config..

Primary

interface GigabitEthernet0/0
description Connection to SEI Border Router
mac-address aaaa.aaaa.1111
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.xxx

failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/1
failover link state GigabitEthernet0/3
failover interface ip failover 10.3.0.1 255.255.255.252 standby 10.3.0.2
failover interface ip state 10.4.0.1 255.255.255.252 standby 10.4.0.2

The failover interface is going through a switch in a vlan and the state interface is a crossover cable to secondary ASA.

Secondary

no failover

failover lan unit secondary

failover lan interface failover GigagbitEthernet0/1

failover interface ip failover 10.3.0.1 255.255.255.252 standby 10.3.0.2

None of my other interfaces are configured with any IP addresses.  The document did not call for them to be set.

When i do a sh failover on the primary unit this is what I rceived.

Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 11:06:35 EDT Apr 5 2011
        This host: Primary - Active
                Active time: 1770 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
                  Interface Outside (216.54.200.156): Normal (Waiting)
                  Interface Inside (172.16.4.4): Normal (Waiting)
                  Interface management (172.16.2.50): Normal (Waiting)
                slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)
                  IPS, 5.0(2)S152.0, Up
        Other host: Secondary - Failed
                Active time: 0 (sec)
                slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Unknown/Unknown)
                  Interface Outside (216.54.200.158): Unknown (Waiting)
                  Interface Inside (0.0.0.0): Unknown (Waiting)
                  Interface management (0.0.0.0): Unknown (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : state GigabitEthernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr     
        General         0          0          0          0        
        sys cmd         0          0          0          0        
        up time         0          0          0          0        
        RPC services    0          0          0          0        
        TCP conn        0          0          0          0        
        UDP conn        0          0          0          0        
        ARP tbl         0          0          0          0        
        Xlate_Timeout   0          0          0          0        
        IPv6 ND tbl     0          0          0          0        
        VPN IKEv1 SA    0          0          0          0        
        VPN IKEv1 P2    0          0          0          0        
        VPN IKEv2 SA    0          0          0          0        
        VPN IKEv2 P2    0          0          0          0        
        VPN CTCP upd    0          0          0          0        
        VPN SDI upd     0          0          0          0        
        VPN DHCP upd    0          0          0          0        
        SIP Session     0          0          0          0        
        Route Session   0          0          0          0       

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       0       0
        Xmit Q:         0       0       0

Anyone shed some light as to what might be the problem.

Thanks

Frank

Labels:
0 Helpful
2 Replies 2

mirober2
Cisco Employee
Cisco Employee

‎04-05-2011 10:20 AM

Hi Frank,

Failover will not work unless the hardware and software are identical on both units. This includes any SSMs, so you'll either need to remove the SSM in the Primary unit or add an SSM to the Secondary unit. Until then, the Secondary unit will always show as failed.

Hope that helps.

-Mike

0 Helpful

Cisco4Life
Level 1
Level 1
In response to mirober2

‎04-05-2011 10:23 AM

Mike-

Thanks for the response.  i will give that a try.

Thanks

Frank

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card