Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13267
Views
0
Helpful
4
Replies

ASA Failover interface status: Normal (Waiting)

Go to solution
Steven Williams
Level 4
Level 4

‎10-27-2014 08:28 AM - edited ‎03-11-2019 09:59 PM

I have been struggling with this, I have two ASA's that are running 8.6 that show the monitored interfaces as good.

 

I am running 9.2 on these and the interfaces say waiting. Also can I disable the IPS being monitored? I only ask cause back when the IPS was a module in the ASA, if I had to reboot it, the units would failover. I am not sure if its the same now with the IPS being software based inside the ASA running on a separate HD.

 

ASA5515-01# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 03:55:44 CDT Oct 21 2014
        This host: Primary - Active
                Active time: 507514 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface outside (4.35.7.90): Normal (Waiting)
                  Interface inside (172.20.16.30): Normal (Waiting)
                  Interface Mgmt (172.20.17.10): Normal (Waiting)
                slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface Mgmt (0.0.0.0): Normal (Waiting)
                slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

 

 

 

 

 

ASA5515-01# show run | inc failover
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/5
failover interface ip FAILOVER 10.10.1.1 255.255.255.252 standby 10.10.1.2
ASA5515-01# ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5515-01#

 

 

------------

 

I was also reading not to use a design where a cable is directly attached to each unit, and instead each interface should connect to a downstream switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise both units sense a link-down condition and assume their own interface is down. Never really thought of that in this sense. Anyone use a direct attached cable and have issues?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-27-2014 12:43 PM

Hi,

 

I rarely have to troubleshoot Failover setups so I am kind of rusty with related to these problems.

 

First thing that comes to mind is that does the configurations under the interfaces have the "standby" IP address configured? Just wondering as the Failover seems to be configured and the link between the units is fine but the Standby Ready unit just shows 0.0.0.0 for each interface.

 

- Jouni

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎10-27-2014 12:43 PM

Hi,

 

I rarely have to troubleshoot Failover setups so I am kind of rusty with related to these problems.

 

First thing that comes to mind is that does the configurations under the interfaces have the "standby" IP address configured? Just wondering as the Failover seems to be configured and the link between the units is fine but the Standby Ready unit just shows 0.0.0.0 for each interface.

 

- Jouni

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to Jouni Forss

‎10-27-2014 12:52 PM

UGH!!!  This is why I should configure the failover first then the interfaces! These units were configured separate at first then a few days later I put them in failover, so never went back and re-did each interface. WOW major goof up there!

0 Helpful

Go to solution
david-swope
Level 1
Level 1

‎10-27-2014 12:56 PM

Correct, say you had Eth0/1 (Inside) on both ASA's, these should plug into an access port on a switch, same for Eth0/0 (Outside) if you have the extra IP to use as standby. Otherwise monitoring Inside only would suffice

 

Now how is your failover cabled? Most likely missing standby IP's. Are you only doing LAN failover, no State failover? Your config should looks imilar to

 

failover lan interface LAN-FAIL Eth0/5

failover interface ip LAN-FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover key C1sc0

 

 

If using stateful failover:

 

failover link STATE-FAIL Eth0/4

failover interface ip STATE-FAIL 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover replication http

failover lan unit primary

failover

 

Now on the Secondary:

failover lan interface LAN-FAIL Eth0/5

failover interface ip LAN-FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover key C1sc0

failover lan unit secondary

failover

0 Helpful

Go to solution
Steven Williams
Level 4
Level 4
In response to david-swope

‎10-27-2014 12:57 PM

cable is unit to unit, no switch. I am doing both lan and state on same link, I know bad practice.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card