Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Cisco ASA 5510 Active/Standby config

I have configured failover using the management port. When I unplug the LAN interface the Primary goes into standby and the stanby unit goes into Primary state.
But when I plug the LAN interface on ASA1 back the Secondary stays as Active UNLESS I unplug the LAN interface o the Secondary unit. Is this normal?

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

You're welcome.Please mark

You're welcome.

Please mark your question as answered if it has been. Rating improves the community quality. :)

Hall of Fame Super Silver

Yes, that's normal.Unless you

Yes, that's normal.

Unless you have specifically excluded a configured interface from monitoring (or set a threshold of number of monitored interfaces to trigger a failover), unplugging an interface will result in the line protocol going down and the unit will know that whether or not it has a standby IP address.

14 REPLIES
New Member

I'm pretty sure you can't use

I'm pretty sure you can't use the MGMT port for failover functions.  

I would recommend that you use LAN-based failover using one of the "inline" interfaces that passes traffic, or if you have enough ports available, configure one just for failover operations.

 

 

Hall of Fame Super Silver

Yes, this is normal.ASA high

Yes, this is normal.

ASA high availability failover cluster units have no concept of preemption. Whichever unit has been healthy most recently will be active unless you initiate a manual failover to force the system back to the desired state.

@ Dave - yes the management port can be used for failover - as long as you don't want to also use it for management. From the configuration guide:

"You can use any unused interface on the device as the failover link; however, you cannot specify an interface that is currently configured with a name. The failover link interface is not configured as a normal networking interface; it exists for failover communication only. This interface should only be used for the failover link (and optionally for the Stateful Failover link)"

New Member

That's what I figured on the

That's what I figured on the management port. I combed through the internet searching and most state it can be used. My plan is to use it for both failover and stateful failover. I just wasn't sure about the failback when the primary comes back online.

My setup is using all 4 ports (2 WAN's, 1 LAN, 1 DMZ). Do I need to configure a standby for each interface?

Also, is there any way around not having to force a failback?

Thanks.

Hall of Fame Super Silver

You can run an HA pair

You can run an HA pair without standby IP addresses but the interface monitoring capability is somewhat compromised as the primary unit cannot positively verify the standby unit's is reachable on those interfaces via IP and instead has to rely on the communication from the standby via the failover link that the interfaces are up.

I always recommend you use standby IP addresses if possible. The only times I've not done it is when the available public IP addresses are severely constrained and the client can't afford to give up even 1 address on that interface.

New Member

Actually that is an issue

Actually that is an issue right now with one of the WAN's (no available IP's). So if I create only one standby IP for the LAN, one for the DMZ & one for the Primary WAN it will still function properly? What will I lose?

I thought the LAN links going down triggers the failover?
 

Hall of Fame Super Silver

Failover is triggered by any

Failover is triggered by any of several things - monitored interface on active peer going down, active peer not reachable, service module on active peer going down, etc.

A failover pair can operate properly with one of the interfaces not having a configured standby IP address. You will lose a slight degree of assurance that the standby peer is "really" ready on that interface since your are relying on its self-reporting that the interface is up with line protocol up.

One can posit scenarios in which that is the case yet traffic will not flow due to IP reachability (e.g., if it was plugged into an active port on an upstream switch and the port was in the wrong VLAN).

New Member

Great Feedback. Thanks Marvin

Great Feedback. Thanks Marvin!!!

Hall of Fame Super Silver

You're welcome.Please mark

You're welcome.

Please mark your question as answered if it has been. Rating improves the community quality. :)

New Member

Is there any way for the

Is there any way for the admin for the ASA to be notified when it goes into standby?

Hall of Fame Super Silver

Yes. There is a syslog

Yes. There is a syslog message created. If you're using an external log destination, you can typically set that up to notify you upon receipt of specified messages.

If you don't have an external syslog server, you can create a logging message list and direct the ASA to email the admin when that list receives an event. You will have to relay via an internal mail server and may need to add the ASA to the whitelist on that server if it's locked down.

Here's a link to the config guide section describing how to set that up on the ASA.

New Member

I'll take a look. One last

I'll take a look. One last thing (I think), I'm working on this with 2 5510's as I type. I noticed that if I only have the standby IP configured for the LAN interface only (no WAN's or DMZ) and I unplug the WAN's or DMZ the ASA goes into the standby state. Normal?

Hall of Fame Super Silver

Yes, that's normal.Unless you

Yes, that's normal.

Unless you have specifically excluded a configured interface from monitoring (or set a threshold of number of monitored interfaces to trigger a failover), unplugging an interface will result in the line protocol going down and the unit will know that whether or not it has a standby IP address.

New Member

No problem

No problem

New Member

again, thanks for the help. I

again, thanks for the help. I continue to work on this lab to fine tune it.

170
Views
0
Helpful
14
Replies
CreatePlease login to create content