Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA cluster failover - DMZ sub-interface failure

Hello.  Any thoughts on this?

The active ASA firewall failed over to the standby due to an 'interface failure' with a sub-interface. 

This monitored sub-interface (DMZ) is part of physical interface with several other sub-interfaces (DMZs) that are also monitored for failover.  None of these appeared to have failed at the same time however. It's just this one sub-interface that indicated as failed. 

The physical interface for the sub-interface is connected to a switch stack.  There were no problems with the physical interface on either the previously active firewall, or the switch stack.  According to monitoring, no problems indicated either with traffic/CPU/mem usage on either the firewall or the switch stack also during this time.  The VLAN on the switch for this firewall sub-interface is currently only active & trunked to the firewall cluster.  Hosts on the switch in this VLAN were removed a few weeks ago.  Again no problem with VLAN that I can see.


ASA cluster failover - DMZ sub-interface failure


I would recommend to run

debug fo rxip

debug fo txip

to make sure that the hello packets are being exchanged as the timer says.

As you said it's odd but this things happens so double check that next time it happens, the trunk link , interface errors, etc.


Looking for some Networking Assistance? Contact me directly at I will fix your problem ASAP. Cheers, Julio Carvajal Segura