Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Failover interface status: Normal (Waiting)

I have been struggling with this, I have two ASA's that are running 8.6 that show the monitored interfaces as good.

 

I am running 9.2 on these and the interfaces say waiting. Also can I disable the IPS being monitored? I only ask cause back when the IPS was a module in the ASA, if I had to reboot it, the units would failover. I am not sure if its the same now with the IPS being software based inside the ASA running on a separate HD.

 

ASA5515-01# show failover
Failover On
Failover unit Primary
Failover LAN Interface: FAILOVER GigabitEthernet0/5 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 114 maximum
MAC Address Move Notification Interval not set
Version: Ours 9.2(2)4, Mate 9.2(2)4
Last Failover at: 03:55:44 CDT Oct 21 2014
        This host: Primary - Active
                Active time: 507514 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface outside (4.35.7.90): Normal (Waiting)
                  Interface inside (172.20.16.30): Normal (Waiting)
                  Interface Mgmt (172.20.17.10): Normal (Waiting)

                slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up
        Other host: Secondary - Standby Ready
                Active time: 0 (sec)
                slot 0: ASA5515 hw/sw rev (1.0/9.2(2)4) status (Up Sys)
                  Interface outside (0.0.0.0): Normal (Waiting)
                  Interface inside (0.0.0.0): Normal (Waiting)
                  Interface Mgmt (0.0.0.0): Normal (Waiting)

                slot 1: IPS5515 hw/sw rev (N/A/7.1(4)E4) status (Up/Up)
                  IPS, 7.1(4)E4, Up

Stateful Failover Logical Update Statistics
        Link : Unconfigured.

 

 

 

 

 

ASA5515-01# show run | inc failover
failover
failover lan unit primary
failover lan interface FAILOVER GigabitEthernet0/5
failover interface ip FAILOVER 10.10.1.1 255.255.255.252 standby 10.10.1.2
ASA5515-01# ping 10.10.1.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.1.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms
ASA5515-01#

 

 

------------

 

I was also reading not to use a design where a cable is directly attached to each unit, and instead each interface should connect to a downstream switch port so that the link status is always up to one firewall interface if the other firewall interface fails. Otherwise both units sense a link-down condition and assume their own interface is down. Never really thought of that in this sense. Anyone use a direct attached cable and have issues?

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Super Bronze

Hi, I rarely have to

Hi,

 

I rarely have to troubleshoot Failover setups so I am kind of rusty with related to these problems.

 

First thing that comes to mind is that does the configurations under the interfaces have the "standby" IP address configured? Just wondering as the Failover seems to be configured and the link between the units is fine but the Standby Ready unit just shows 0.0.0.0 for each interface.

 

- Jouni

4 REPLIES
Super Bronze

Hi, I rarely have to

Hi,

 

I rarely have to troubleshoot Failover setups so I am kind of rusty with related to these problems.

 

First thing that comes to mind is that does the configurations under the interfaces have the "standby" IP address configured? Just wondering as the Failover seems to be configured and the link between the units is fine but the Standby Ready unit just shows 0.0.0.0 for each interface.

 

- Jouni

New Member

UGH!!!  This is why I should

UGH!!!  This is why I should configure the failover first then the interfaces! These units were configured separate at first then a few days later I put them in failover, so never went back and re-did each interface. WOW major goof up there!

New Member

Correct, say you had Eth0/1

Correct, say you had Eth0/1 (Inside) on both ASA's, these should plug into an access port on a switch, same for Eth0/0 (Outside) if you have the extra IP to use as standby. Otherwise monitoring Inside only would suffice

 

Now how is your failover cabled? Most likely missing standby IP's. Are you only doing LAN failover, no State failover? Your config should looks imilar to

 

failover lan interface LAN-FAIL Eth0/5

failover interface ip LAN-FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover key C1sc0

 

 

If using stateful failover:

 

failover link STATE-FAIL Eth0/4

failover interface ip STATE-FAIL 2.2.2.1 255.255.255.252 standby 2.2.2.2

failover replication http

failover lan unit primary

failover

 

Now on the Secondary:

failover lan interface LAN-FAIL Eth0/5

failover interface ip LAN-FAIL 1.1.1.1 255.255.255.252 standby 1.1.1.2

failover key C1sc0

failover lan unit secondary

failover

New Member

cable is unit to unit, no

cable is unit to unit, no switch. I am doing both lan and state on same link, I know bad practice.

4210
Views
0
Helpful
4
Replies