Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA Failover

I have configured a active/standby pair but am having one last issue on the configuration. The active unit appears fine and shows the correct status when performing a 'show failover'.

As for the standby I am unable to login into the system since the external interface has become active. It's very strange. If I remove the Ethernet cable from the active external port and reboot the asa manually from the back of the device I am able to login once again and all is well. As soon as I plug in the Ethernet cable for the external interface and reboot the device I am unable to login. These attempts are via telnet, ssh and asdm. As you can see from the 'show failover' the connections appear to be fine and I am able to ping each standby IP.

Regards,

Jamie.

show failover

Failover On

Failover unit Primary

Failover LAN Interface: locfw01 Ethernet0/2 (up) Unit Poll frequency 1 seconds, holdtime 15 seconds Interface Poll frequency 5 seconds, holdtime 25 seconds Interface Policy 1 Monitored Interfaces 5 of 250 maximum

Version: Ours 7.2(3), Mate 7.2(3)

Last Failover at: 09:30:27 GMT/BDT Aug 20 2008

This host: Primary - Active

Active time: 2245846 (sec)

slot 0: ASA5510 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface External (xxx.xx.xxx.xx): Normal

Interface WirelessAccess (192.168.253.1): Normal

Interface Port3Physical (0.0.0.0): Normal (Waiting)

Interface InternalWorkstationsVlan101 (172.16.101.1): Normal

Interface InternalServersVlan102 (172.16.102.1): Normal

Interface Management (172.16.105.1): No Link (Not-Monitored)

slot 1: empty

Other host: Secondary - Standby Ready

Active time: 0 (sec)

slot 0: ASA5510 hw/sw rev (2.0/7.2(3)) status (Up Sys)

Interface External (xxx.xx.xxx.xx): Normal

Interface WirelessAccess (192.168.253.4): Normal

Interface Port3Physical (0.0.0.0): Normal (Waiting)

Interface InternalWorkstationsVlan101 (172.16.101.2): Normal

Interface InternalServersVlan102 (172.16.102.2): Normal

Interface Management (172.16.105.2): Normal (Not-Monitored)

slot 1: empty

Stateful Failover Logical Update Statistics

Link : locfw01 Ethernet0/2 (up)

Stateful Obj xmit xerr rcv rerr

General 16777784 0 299334 0

sys cmd 299336 0 299334 0

up time 0 0 0 0

RPC services 0 0 0 0

TCP conn 6824592 0 0 0

UDP conn 7598547 0 0 0

ARP tbl 2049843 0 0 0

Xlate_Timeout 0 0 0 0

VPN IKE upd 675 0 0 0

VPN IPSEC upd 4791 0 0 0

VPN CTCP upd 0 0 0 0

VPN SDI upd 0 0 0 0

VPN DHCP upd 0 0 0 0

Logical Update Queue Information

Cur Max Total

Recv Q: 0 7 299334

Xmit Q: 0 19 30818751

4 REPLIES
Cisco Employee

Re: ASA Failover

Please provide "

sh run failover : from both units.

sh failover " from both units.

sh run ssh " from both units.

sh run http " from both units.

sh run telnet " from both units.

to what interface are you trying to connect to via http/telnet/ssh on standby....?

Regards,

Sushil

Community Member

Re: ASA Failover

I can only run these commands on the active asa as i am unable to login into the standby. I am attempting to connect via the IP 172.16.101.2 which works fine when the standby device has been rebooted with it's external interface cable unplugged. For some reason when the external interface is up and connected i lose connectivity to the standby asa.

The active device is currently live and running. The commands stated... Will they effect service in anyway?

Thanks,

Jamie.

Cisco Employee

Re: ASA Failover

you might want to connect to standby via console.These are " show " commands ran in privileged mode....will not affect service in any way.

Regards,

Sushil

Community Member

Re: ASA Failover

Hello.

Attached are the outputs from the standby and active asa's. To note. To actually gain access to the standby, i had to disable the failover, reboot the standby asa then re-enable the failover. After i gained access to the system , and gained the information necessary i now have no access. I must have left it for about 3o minutes and now i am unable to telnet, ssh, asdm to any atandby IP or management port. I can gain access to the standby fully when the failover is disabled. I'm totally lost here as to why this is happening.

Please refer to the attached.

249
Views
0
Helpful
4
Replies
CreatePlease to create content