Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3489
Views
20
Helpful
19
Replies

ASA failover

Go to solution
ivanka_busta
Level 1
Level 1

‎06-20-2014 04:03 AM - edited ‎03-11-2019 09:21 PM

Hi,

We have two ASA 5520 with failover enabled. Due to the replacement of a wire in the ASA which is active, the standby ASA took over. However, we found out that the VPN connection wasn't available when this ASA was the active one. Which could be the reason?

 

Thanks in advanced.

Labels:
0 Helpful
19 Replies 19

Go to solution
Marius Gunnerud
VIP
VIP
In response to ivanka_busta

‎07-08-2014 05:19 AM

The stateful failover has nothing to do with the configuration replication.  Config is taken care of by the regular failover link.  Statefull failover replicates the established sessions when a failover takes place.  So, if the configurations are not the same on both ASAs then there is either something wrong with the "failover" configuration (not to be confused with stateful failover) or there is a problem with communication between the ASAs on the failover link.  You could try to issue the command write standby on the active ASA and then check to see if the configurations match on the standby unit.

It would be easier to see if stateful failover is configured in the CLI.  If you could issue the command show run all failover and paste the output here, we could check this for you. I have come across situations where the configuration in the ASDM did not match what was in the CLI...So in my opinion it is always best to double check the CLI for the configuration.

What is meant by the files that need to be on both ASA is that the anyconnect license, anyconnect software...etc.  These do not get automatically copied over, so you would need to manually install all AnyConnect related files on the standby ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ivanka_busta
Level 1
Level 1
In response to Marius Gunnerud

‎07-08-2014 05:35 AM

That's the output of show run all failover:

failover
failover lan unit secondary
failover lan interface failoverinterface Management0/0
failover link failoverinterface Management0/0
failover interface ip failoverinterface 10.0.1.1 255.255.255.0 standby 10.0.1.2

failover
failover lan unit primary
failover lan interface failoverinterface Management0/0
failover link failoverinterface Management0/0
failover interface ip failoverinterface 10.0.1.1 255.255.255.0 standby 10.0.1.2

 

Regarding the write standby command, is it safe to run this command in a production environment? 

Thanks.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to ivanka_busta

‎07-08-2014 05:51 AM

You are missing the following command for stateful failover.

failover link statelink Management0/0

write standby is safe to run while in production.  If, however, depending on the size of the configuration, you might experience a slight performance decrease on the link that you use for failover.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
ivanka_busta
Level 1
Level 1
In response to Marius Gunnerud

‎07-08-2014 11:46 PM

So, would adding that command solve the problem with the replication of configuration between ASAs? Should I add it in both ASAs or only in the active one?

In the sh tech we found out that the primary ASA is in standby whereas the secondary is the active one.

Thanks.

 

 

               

                

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to ivanka_busta

‎07-09-2014 12:28 AM

So, would adding that command solve the problem with the replication of configuration between ASAs?

I explained this a couple posts ago.  The stateful failover has nothing to do with config replication. Stateful failover only replicates the existing connections that are currently passing through the firewall.

the failover (not to be confused with stateful failover) is what synchronizes the ASA configuration.

Should I add it in both ASAs or only in the active one?

Yes, this command is needs to only be issued on the active ASA, It will be replicated to the standby ASA over the failover link.

In the sh tech we found out that the primary ASA is in standby whereas the secondary is the active one.

If there has been a failover situation then this is normal.  The new active ASA will remain as the active ASA until another failover situation occurs or a manual failover is issued.

If you log into the currently active ASA and issue the following command:

no failover active

This will set the current ASA as the standby ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card