04-05-2011 08:41 AM - edited 03-11-2019 01:17 PM
I followed the document from Cisco (http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#lanbas) and it seems I have a partial configured ASA in the active/standby. Both ASA are identical except the primary has a expired ASA-SSM-10 card in the slot.
Here is the config..
Primary
interface GigabitEthernet0/0
description Connection to SEI Border Router
mac-address aaaa.aaaa.1111
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx 255.255.255.224 standby xxx.xxx.xxx.xxx
failover
failover lan unit primary
failover lan interface failover GigabitEthernet0/1
failover link state GigabitEthernet0/3
failover interface ip failover 10.3.0.1 255.255.255.252 standby 10.3.0.2
failover interface ip state 10.4.0.1 255.255.255.252 standby 10.4.0.2
The failover interface is going through a switch in a vlan and the state interface is a crossover cable to secondary ASA.
Secondary
no failover
failover lan unit secondary
failover lan interface failover GigagbitEthernet0/1
failover interface ip failover 10.3.0.1 255.255.255.252 standby 10.3.0.2
None of my other interfaces are configured with any IP addresses. The document did not call for them to be set.
When i do a sh failover on the primary unit this is what I rceived.
Failover On
Failover unit Primary
Failover LAN Interface: failover GigabitEthernet0/1 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 160 maximum
Version: Ours 8.4(1), Mate 8.4(1)
Last Failover at: 11:06:35 EDT Apr 5 2011
This host: Primary - Active
Active time: 1770 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Up Sys)
Interface Outside (216.54.200.156): Normal (Waiting)
Interface Inside (172.16.4.4): Normal (Waiting)
Interface management (172.16.2.50): Normal (Waiting)
slot 1: ASA-SSM-10 hw/sw rev (1.0/5.0(2)S152.0) status (Up/Up)
IPS, 5.0(2)S152.0, Up
Other host: Secondary - Failed
Active time: 0 (sec)
slot 0: ASA5520 hw/sw rev (2.0/8.4(1)) status (Unknown/Unknown)
Interface Outside (216.54.200.158): Unknown (Waiting)
Interface Inside (0.0.0.0): Unknown (Waiting)
Interface management (0.0.0.0): Unknown (Waiting)
slot 1: empty
Stateful Failover Logical Update Statistics
Link : state GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 0 0 0 0
sys cmd 0 0 0 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 0 0
UDP conn 0 0 0 0
ARP tbl 0 0 0 0
Xlate_Timeout 0 0 0 0
IPv6 ND tbl 0 0 0 0
VPN IKEv1 SA 0 0 0 0
VPN IKEv1 P2 0 0 0 0
VPN IKEv2 SA 0 0 0 0
VPN IKEv2 P2 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Route Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 0 0
Xmit Q: 0 0 0
Anyone shed some light as to what might be the problem.
Thanks
Frank
04-05-2011 10:20 AM
Hi Frank,
Failover will not work unless the hardware and software are identical on both units. This includes any SSMs, so you'll either need to remove the SSM in the Primary unit or add an SSM to the Secondary unit. Until then, the Secondary unit will always show as failed.
Hope that helps.
-Mike
04-05-2011 10:23 AM
Mike-
Thanks for the response. i will give that a try.
Thanks
Frank
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: