Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA5510 Stateful failover with Site-to-Site VPN traffic

Hi all,

 

Notebook -- ASA -- Checkpoint -- Server

 

I'm trying to demonstrate failover behaviour which with site-to-site VPN traffic in the test lab. ASA is using 5510 version 8.2.5. I'm keeping to ping the server from notebook side. Then I rebooted the active ASA and observed there will be around 6 ICMP packets will be dropped. And then VPN resumed. I'm wondering why the VPN session can't hold even stateful failover link is UP. I also tried to seperate the stateful link from Ethernet0/2 to Management0/0 and the VPN session still dropped after reboot the active ASA. Can anyone help me ? Thanks.

 

Primary

failover
failover lan unit primary
failover lan interface failover_IF Ethernet0/2
failover polltime unit 8 holdtime 24
failover polltime interface 8 holdtime 40
failover link failover_IF Ethernet0/2
failover interface ip failover_IF 172.18.11.97 255.255.255.252 standby 172.18.11.98

 

Secondary

failover
failover lan unit secondary
failover lan interface failover_IF Ethernet0/2
failover polltime unit 8 holdtime 24
failover polltime interface 8 holdtime 40
failover link failover_IF Ethernet0/2
failover interface ip failover_IF 172.18.11.97 255.255.255.252 standby 172.18.11.98

12 REPLIES

Hi,

Hi,

 

Can you keep lan failover and interface failover on diff interfaces and check if that helps for you?

interface Ethernet2 
nameif state

	 description STATE Failover Interface

interface ethernet3 
nameif failover

  description LAN Failover Interface
failover
failover lan unit primary
failover lan interface failover Ethernet3
failover lan enable
failover key ******
failover link state Ethernet2
failover interface ip failover 10.1.0.1 255.255.255.0 standby 10.1.0.2
failover interface ip state 10.0.0.1 255.0.0.0 standby 10.0.0.2

 

Regards

Karthik

New Member

Hi Karthik, I tried to

Hi Karthik,

 

I tried to seperate the LAN failover and Stateful failover in different interface but the VPN session still dropped when I rebooted the Active ASA. 


failover
failover lan unit primary
failover lan interface failover_IF Ethernet0/2
failover polltime unit 8 holdtime 24
failover polltime interface 8 holdtime 40
failover interface ip failover_IF 172.18.11.97 255.255.255.252 standby 172.18.11.98

failover link statefailover_IF management0/0
failover interface ip statefailover_IF 10.10.10.1 255.255.255.0 standby 10.10.10.2

Hi ,

Hi ,

 On which interface you are doing testing ?? , except inside interface , no other interface is monitored . 

To enable health monitoring for an interface, enter the following command within a context:

hostname/context(config)# monitor-interface if_name

Interface inside (172.18.10.18): Normal 
                  Interface External_IF (172.18.10.26): Unknown (Waiting)
                  Interface SZCustoms_IF (172.128.9.5): Normal (Not-Monitored)
                  Interface Gicd_IF (172.18.10.82): Normal (Not-Monitored)
                  Interface HIT_IF (172.25.137.16): Normal (Not-Monitored)
                  Interface Port_IF (172.18.10.130): Normal (Not-Monitored)
                  Interface DPCustoms_IF (192.168.30.2): Normal (Not-Monitored)
                  Interface Edi_IF (172.18.10.194): Normal (Not-Monitored)
                  Interface ESP_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Y3_IF (192.168.80.4): Normal (Not-Monitored)
                  Interface Szinsp_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Bojian_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Insp_IF (192.168.20.2): Normal (Not-Monitored)
                  Interface Westport_IF (192.168.82.2): Link Down (Not-Monitored)
                  Interface New_custom_IF (192.168.34.2): Normal (Not-Monitored)
                  Interface Tally_IF (172.18.11.62): Normal (Not-Monitored)
                  Interface HaiSiJu_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ICBC_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ICBC_2M_IF (172.18.11.74): Normal (Not-Monitored)
                  Interface PABank_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ABCChina_IF (172.18.11.90): Normal (Not-Monitored)
                  Interface BOC_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface SSDID_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface CSMS_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface eGate_MON (0.0.0.0): Normal (Not-Monitored)
                  Interface mobilesms_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface BOC_MCS_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface DMZ_IF (172.18.11.102): No Link (Waiting)
                  Interface DMZ1_IF (172.18.11.189): No Link (Not-Monitored)
                  Interface DMZ2_IF (0.0.0.0): No Link (Not-Monitored)
                  Interface DMZ3_IF (172.18.11.253): No Link (Not-Monitored)
                  Interface IVRS_IF (192.168.105.2): Link Down (Not-Monitored)
                  Interface Pccdmz_IF (192.168.85.2): No Link (Not-Monitored)
                  Interface CardCenter_IF (172.128.17.30): No Link (Not-Monitored)
                  Interface mang (0.0.0.0): No Link (Waiting) 

 

HTH

Sandy

New Member

Sandy,I'm using HIT_IF for

Sandy,

I'm using HIT_IF for testing. For testing, I disabled all interface monitoring. Thanks.

Hi  apply below command and

Hi 

 apply below command and test your stateful failover , it should work without packet drop

 

hostname/context(config)# monitor-interface HIT_IF

 

HTH

Sandy

New Member

Sandy,Thanks for your update

Sandy,

Thanks for your update.

Do you mean I have to enable MONITOR when interface/subinterface which I have keep stateful when failover ?

Hi , Enable monitoring for

Hi ,

 Enable monitoring for your both outside and inside interface (means your LAN interface either it can be physical an sub-interface) . Then do you failover testing .

The "not-monitored" simply means you haven't set these up as failover monitored interfaces,

Note that "Monitoring of physical interfaces is enabled by default; monitoring of logical interfaces is disabled by default.", which is why your DMZ and private int's are being monitored, but your sub-int's are not.

 

HTH

Sandy

New Member

Hi Sandy,I have tried to

Hi Sandy,

I have tried to enable monitoring of sub-interface. However, it also dropped when I tried to reboot active ASA.

Also, I use another configuration which is much more simple. It don't have any sub-interface at outside interface. But the symptom is the same. I'm wondering whether related with the version or the license. 

Below is the "show failover" command on the simple configuration one.

==============================================================

FCP-Prod-Test#  show failover
Failover On 
Failover unit Primary
Failover LAN Interface: failover_IF Ethernet0/2 (up)
Unit Poll frequency 8 seconds, holdtime 24 seconds
Interface Poll frequency 8 seconds, holdtime 40 seconds
Interface Policy 1
Monitored Interfaces 2 of 250 maximum
Version: Ours 8.0(4), Mate 8.0(4)
Last Failover at: 11:36:57 UTC Aug 23 2014
        This host: Primary - Active 
                Active time: 104 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface inside (192.168.0.1): Normal 
                  Interface intf2 (172.25.136.226): Normal 
                slot 1: empty
        Other host: Secondary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.0(4)) status (Up Sys)
                  Interface inside (192.168.0.2): Normal 
                  Interface intf2 (172.25.136.227): Normal 
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : statefailover_IF Ethernet0/3 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         38         0          43         0         
        sys cmd         29         0          28         0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        0          0          0          0         
        UDP conn        0          0          0          0         
        ARP tbl         2          0          2          0         
        Xlate_Timeout   0          0          0          0         
        VPN IKE upd     3          0          7          0         
        VPN IPSEC upd   5          0          7          0         
        VPN CTCP upd    0          0          0          0         
        VPN SDI upd     0          0          0          0         
        VPN DHCP upd    0          0          0          0         
        SIP Session     0          0          0          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       12      443
        Xmit Q:         0       29      194

=============================================================

Also, below is the configuration of the simple one. It's really the straight-forward configuration

FCP-Prod-Test# sho run
: Saved
:
ASA Version 8.0(4) 
!
hostname FCP-Prod-Test
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
 nameif inside
 security-level 100
 ip address 192.168.0.1 255.255.255.0 standby 192.168.0.2 
!
interface Ethernet0/1
 nameif intf2
 security-level 50
 ip address 172.25.136.226 255.255.255.248 standby 172.25.136.227 
!
interface Ethernet0/2
 description LAN Failover Interface
!
interface Ethernet0/3
 description STATE Failover Interface
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 no ip address
!
boot system disk0:/asa804-k8.bin
ftp mode passive
object-group network obj-192.168.0.3
object-group network obj-192.168.0.6
object-group network POC_server
 network-object 172.25.128.0 255.255.255.0
 network-object 172.25.130.0 255.255.255.0
 network-object 172.25.131.0 255.255.255.0
access-list acl_out extended permit icmp any any 
access-list 142 extended permit ip 172.25.165.16 255.255.255.240 object-group POC_server 
access-list 142 extended permit ip 172.25.166.224 255.255.255.224 object-group POC_server 
access-list 142 extended permit icmp 172.25.165.16 255.255.255.240 object-group POC_server 
access-list 142 extended permit icmp 172.25.166.224 255.255.255.224 object-group POC_server 
access-list 142 extended permit ip 192.168.0.0 255.255.255.0 object-group POC_server 
access-list 142 extended permit icmp 192.168.0.0 255.255.255.0 object-group POC_server 
access-list 142 extended permit ip 192.168.0.0 255.255.255.0 any 
access-list 142 extended permit icmp 192.168.0.0 255.255.255.0 any log 
pager lines 24
logging enable
logging monitor errors
logging buffered debugging
logging trap errors
logging asdm informational
logging host inside 172.16.2.45
mtu inside 1500
mtu intf2 1500
failover
failover lan unit primary
failover lan interface failover_IF Ethernet0/2
failover polltime unit 8 holdtime 24
failover polltime interface 8 holdtime 40
failover link statefailover_IF Ethernet0/3
failover interface ip failover_IF 10.10.10.1 255.255.255.252 standby 10.10.10.2
failover interface ip statefailover_IF 20.20.20.1 255.255.255.0 standby 20.20.20.2
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
static (inside,intf2) 172.25.165.17 192.168.0.3 netmask 255.255.255.255 
static (inside,intf2) 172.25.166.225 192.168.0.6 netmask 255.255.255.255 
access-group 142 in interface inside
access-group acl_out in interface intf2
route intf2 172.25.128.0 255.255.255.0 202.45.248.199 1
route intf2 172.25.130.0 255.255.255.0 202.45.248.199 1
route intf2 172.25.131.0 255.255.255.192 202.45.248.199 1
route intf2 202.45.248.1 255.255.255.255 172.25.136.225 1
route intf2 202.45.248.199 255.255.255.255 172.25.136.225 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
service resetoutside
crypto ipsec transform-set dcset1 esp-3des esp-sha-hmac 
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto map cpdc1 20 match address 142
crypto map cpdc1 20 set peer 202.45.248.199 
crypto map cpdc1 20 set transform-set dcset1
crypto map cpdc1 20 set security-association lifetime seconds 120
crypto map cpdc1 20 set security-association lifetime kilobytes 4608000
crypto map cpdc1 interface intf2
crypto isakmp enable intf2
crypto isakmp policy 10
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 300
telnet 172.16.0.0 255.255.0.0 inside
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 intf2
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 intf2
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tunnel-group 202.45.248.199 type ipsec-l2l
tunnel-group 202.45.248.199 ipsec-attributes
 pre-shared-key *
!
class-map inspection_default
 match default-inspection-traffic
!             
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
  message-length maximum client auto
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect netbios 
  inspect rsh 
  inspect rtsp 
  inspect skinny  
  inspect esmtp 
  inspect sqlnet 
  inspect sunrpc 
  inspect tftp 
  inspect sip  
  inspect xdmcp 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:5ee5f7eaa308f3f2290f3173453e96f8

Hi , Can you share me your

Hi ,

 Can you share me your network diagram ?? , For both Outside and inside interface there should be L2 Connectvity for neighbor device . 

Similalry if you have dual device for both inside and outside segment , HSRP IP address must be used as gateway address for ASA .

 

HTH

Sandy

New Member

Hi Sandy,I have attached the

Hi Sandy,

I have attached the network diagram for reference. Thanks.

Hi , Share me "show failover"

Hi ,

 Share me "show failover" output from your ASA 

 

HTH

Sandy

New Member

Hi Sandy,Thanks for your

Hi Sandy,

Thanks for your reply. Below is the output of the "show failover" command.

 

ASA# show failover
Failover On 
Failover unit Primary
Failover LAN Interface: failover_IF Ethernet0/2 (up)
Unit Poll frequency 8 seconds, holdtime 24 seconds
Interface Poll frequency 8 seconds, holdtime 40 seconds
Interface Policy 1
Monitored Interfaces 4 of 110 maximum
Version: Ours 8.2(5), Mate 8.2(5)
Last Failover at: 23:24:52 BJ Aug 21 2014
        This host: Primary - Standby Ready 
                Active time: 0 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (172.18.10.18): Normal 
                  Interface External_IF (172.18.10.26): Unknown (Waiting)
                  Interface SZCustoms_IF (172.128.9.5): Normal (Not-Monitored)
                  Interface Gicd_IF (172.18.10.82): Normal (Not-Monitored)
                  Interface HIT_IF (172.25.137.16): Normal (Not-Monitored)
                  Interface Port_IF (172.18.10.130): Normal (Not-Monitored)
                  Interface DPCustoms_IF (192.168.30.2): Normal (Not-Monitored)
                  Interface Edi_IF (172.18.10.194): Normal (Not-Monitored)
                  Interface ESP_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Y3_IF (192.168.80.4): Normal (Not-Monitored)
                  Interface Szinsp_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Bojian_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface Insp_IF (192.168.20.2): Normal (Not-Monitored)
                  Interface Westport_IF (192.168.82.2): Link Down (Not-Monitored)
                  Interface New_custom_IF (192.168.34.2): Normal (Not-Monitored)
                  Interface Tally_IF (172.18.11.62): Normal (Not-Monitored)
                  Interface HaiSiJu_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ICBC_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ICBC_2M_IF (172.18.11.74): Normal (Not-Monitored)
                  Interface PABank_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface ABCChina_IF (172.18.11.90): Normal (Not-Monitored)
                  Interface BOC_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface SSDID_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface CSMS_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface eGate_MON (0.0.0.0): Normal (Not-Monitored)
                  Interface mobilesms_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface BOC_MCS_IF (0.0.0.0): Normal (Not-Monitored)
                  Interface DMZ_IF (172.18.11.102): No Link (Waiting)
                  Interface DMZ1_IF (172.18.11.189): No Link (Not-Monitored)
                  Interface DMZ2_IF (0.0.0.0): No Link (Not-Monitored)
                  Interface DMZ3_IF (172.18.11.253): No Link (Not-Monitored)
                  Interface IVRS_IF (192.168.105.2): Link Down (Not-Monitored)
                  Interface Pccdmz_IF (192.168.85.2): No Link (Not-Monitored)
                  Interface CardCenter_IF (172.128.17.30): No Link (Not-Monitored)
                  Interface mang (0.0.0.0): No Link (Waiting)
                slot 1: empty
        Other host: Secondary - Active 
                Active time: 464 (sec)
                slot 0: ASA5510 hw/sw rev (2.0/8.2(5)) status (Up Sys)
                  Interface inside (172.18.10.17): Normal 
                  Interface External_IF (172.18.10.25): Unknown (Waiting)
                  Interface SZCustoms_IF (172.128.9.2): Normal (Not-Monitored)
                  Interface Gicd_IF (172.18.10.81): Normal (Not-Monitored)
                  Interface HIT_IF (172.25.137.15): Normal (Not-Monitored)
                  Interface Port_IF (172.18.10.129): Normal (Not-Monitored)
                  Interface DPCustoms_IF (192.168.30.1): Normal (Not-Monitored)
                  Interface Edi_IF (172.18.10.193): Normal (Not-Monitored)
                  Interface ESP_IF (10.200.1.2): Normal (Not-Monitored)
                  Interface Y3_IF (192.168.80.3): Normal (Not-Monitored)
                  Interface Szinsp_IF (172.100.100.113): Normal (Not-Monitored)
                  Interface Bojian_IF (172.18.11.49): Normal (Not-Monitored)
                  Interface Insp_IF (192.168.20.1): Normal (Not-Monitored)
                  Interface Westport_IF (192.168.82.1): Normal (Not-Monitored)
                  Interface New_custom_IF (192.168.34.1): Normal (Not-Monitored)
                  Interface Tally_IF (172.18.11.57): Normal (Not-Monitored)
                  Interface HaiSiJu_IF (172.128.16.1): Normal (Not-Monitored)
                  Interface ICBC_IF (172.18.11.65): Normal (Not-Monitored)
                  Interface ICBC_2M_IF (172.18.11.73): Normal (Not-Monitored)
                  Interface PABank_IF (172.18.11.81): Normal (Not-Monitored)
                  Interface ABCChina_IF (172.18.11.89): Normal (Not-Monitored)
                  Interface BOC_IF (172.18.11.113): Normal (Not-Monitored)
                  Interface SSDID_IF (172.18.11.129): Normal (Not-Monitored)
                  Interface CSMS_IF (172.18.12.1): Normal (Not-Monitored)
                  Interface eGate_MON (10.111.111.1): Normal (Not-Monitored)
                  Interface mobilesms_IF (183.238.123.90): Normal (Not-Monitored)
                  Interface BOC_MCS_IF (194.254.3.42): Normal (Not-Monitored)
                  Interface DMZ_IF (172.18.11.101): No Link (Waiting)
                  Interface DMZ1_IF (172.18.11.190): Normal (Not-Monitored)
                  Interface DMZ2_IF (172.18.11.222): Normal (Not-Monitored)
                  Interface DMZ3_IF (172.18.11.254): Normal (Not-Monitored)
                  Interface IVRS_IF (192.168.105.1): Normal (Not-Monitored)
                  Interface Pccdmz_IF (192.168.85.1): Normal (Not-Monitored)
                  Interface CardCenter_IF (172.128.17.17): Normal (Not-Monitored)
                  Interface mang (192.168.100.1): No Link (Waiting)
                slot 1: empty

Stateful Failover Logical Update Statistics
        Link : failover_IF Ethernet0/2 (up)
        Stateful Obj    xmit       xerr       rcv        rerr      
        General         48         0          74         0         
        sys cmd         48         0          48         0         
        up time         0          0          0          0         
        RPC services    0          0          0          0         
        TCP conn        0          0          0          0         
        UDP conn        0          0          0          0         
        ARP tbl         0          0          2          0         
        Xlate_Timeout   0          0          0          0         
        IPv6 ND tbl     0          0          0          0         
        VPN IKE upd     0          0          9          0         
        VPN IPSEC upd   0          0          15         0         
        VPN CTCP upd    0          0          0          0         
        VPN SDI upd     0          0          0          0         
        VPN DHCP upd    0          0          0          0         
        SIP Session     0          0          0          0         

        Logical Update Queue Information
                        Cur     Max     Total
        Recv Q:         0       11      711
        Xmit Q:         0       1       48

 

248
Views
0
Helpful
12
Replies
CreatePlease login to create content