Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
531
Views
0
Helpful
2
Replies

ASA5525 Failover Active/Standby Status

kalianetTO
Level 1
Level 1

‎07-22-2014 04:32 PM - edited ‎03-11-2019 09:31 PM

Appreciate any help with active/standby config. I just finish configuring the firewall and everything is tested fine but  then I noticed the failover status (shown below) shows the standby unit as failed. The configuration between the two unit synch fine but I'm not sure what is going on. Is this normal or is there error somewhere in my configuration.

 

ACTIVE INTERFACE CONFIG SAMPLE

interface GigabitEthernet0/2.422
 vlan 422
 nameif inside
 security-level 100
 ip address 10.254.122.6 255.255.255.248 standby 10.254.122.5

 

ACTIVE FAILOVER CONFIG

failover
failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251

 

STANDBY FAILOVER CONFIG

failover
failover lan unit primary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251

 

Failover On
Failover unit Primary
Failover LAN Interface: FAIL-OVER GigabitEthernet0/6 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 50%
Monitored Interfaces 7 of 216 maximum
Version: Ours 9.1(2), Mate 9.1(2)
Last Failover at: 04:14:35 TOST Jul 21 2014
    This host: Primary - Active
        Active time: 175553 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
          Interface outside (PUBLIC-IP): Normal (Waiting)
          Interface inside-isp (10.254.120.6): Normal (Waiting)
          Interface inside (10.254.122.6): Normal (Waiting)
          Interface VPN (10.254.124.6): Normal (Waiting)
          Interface inside-legacy (10.254.126.6): Normal (Waiting)
          Interface management (10.254.36.252): Normal (Monitored)
          Interface dmz (10.254.130.1): Normal (Waiting)
    Other host: Secondary - Failed
        Active time: 0 (sec)
        slot 0: ASA5525 hw/sw rev (1.0/9.1(2)) status (Up Sys)
          Interface outside (PUBLIC-IP): Normal (Waiting)
          Interface inside-isp (10.254.120.5): Failed (Waiting)
          Interface inside (10.254.122.5): Failed (Waiting)
                  Interface VPN (10.254.124.5): Failed (Waiting)
          Interface inside-legacy (10.254.126.5): No Link (Waiting)
          Interface management (10.254.36.251): Normal (Monitored)
          Interface dmz (10.254.130.2): Normal (Waiting)

Stateful Failover Logical Update Statistics
    Link : FAIL-OVER GigabitEthernet0/6 (up)
    Stateful Obj     xmit       xerr       rcv        rerr      
    General        277738     0          23409      9         
    sys cmd      23392      0          23392      0         
    up time      0          0          0          0         
    RPC services      0          0          0          0         
    TCP conn     0          0          0          0         
    UDP conn     0          0          0          0         
    ARP tbl      221944     0          16         0         
    Xlate_Timeout      0          0          0          0         
    IPv6 ND tbl      0          0          0          0         
    VPN IKEv1 SA     0          0          0          0         
    VPN IKEv1 P2     0          0          0          0         
    VPN IKEv2 SA     0          0          0          0         
    VPN IKEv2 P2     0          0          0          0         
    VPN CTCP upd     0          0          0          0         
    VPN SDI upd     0          0          0          0         
    VPN DHCP upd     0          0          0          0         
        SIP Session     0          0          0          0         
    Route Session     32401      0          0          9         
    User-Identity     1          0          1          0         
    CTS SGTNAME     0          0          0          0         
    CTS PAC     0          0          0          0         
    TrustSec-SXP     0          0          0          0         
    IPv6 Route     0          0          0          0         

    Logical Update Queue Information
              Cur     Max     Total
    Recv Q:     0     14     23458
    Xmit Q:     0     30     361865

 

 

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-22-2014 07:13 PM

Your secondary unit has three interfaces that the primary is unable to verfy are up:

          Interface inside-isp (10.254.120.5): Failed (Waiting)
          Interface inside (10.254.122.5): Failed (Waiting)
          Interface VPN (10.254.124.5): Failed (Waiting)

Can you see those interfaces up and the addresses reachable from outside the ASA?

0 Helpful

rajesh.gogia
Level 1
Level 1

‎07-22-2014 10:00 PM

 

As per the configuration you need to replace command on secondary unit as given below

 

failover lan unit secondary

 

STANDBY FAILOVER CONFIG

failover
failover lan unit secondary
failover lan interface FAIL-OVER GigabitEthernet0/6
failover interface-policy 50%
failover key *****
failover link FAIL-OVER GigabitEthernet0/6
failover interface ip FAIL-OVER 172.22.36.252 255.255.255.0 standby 172.22.36.251

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card