Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Cisco ASA Active standby failover problem

We have configured ASA Active standby failover with ASA5505 . When primary unit power off, secondary unit became active. when primary unit power on, then primary unit is becoming active again. i think for active standby setup there is no preemption. The real issue is when primary ASA became active after power on all the external connectivity getting down. Please see the below config,

 

ASA01# show run

ASA01# show running-config 
: Saved
:
ASA Version 8.2(5) 
!
hostname ASA01
enable password PVSASRJovmamnVkD encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
name 192.168.1.1 MPLS_Router description MPLS_Router 
name 192.168.2.1 SCADA_Router description SCADA_Router
!
interface Ethernet0/0
 switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
!
interface Ethernet0/4
 switchport access vlan 3
!
interface Ethernet0/5
            
interface Ethernet0/6
!
interface Ethernet0/7
!
interface Vlan1
 nameif inside
 security-level 100
 ip address 192.168.3.8 255.255.255.0 standby 192.168.3.9 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address 192.168.1.8 255.255.255.0 standby 192.168.1.9 
!
interface Vlan3
 description LAN Failover Interface

ftp mode passive
clock timezone AST 3
access-list inside_access_in extended permit icmp any any 
access-list inside_access_in extended permit ip any any 
access-list inside_access_in extended permit ip any host MPLS_Router 
access-list outside_access_in extended permit icmp any any 
access-list outside_access_in extended permit ip any any 
access-list outside_access_in extended permit ip any 192.168.2.0 255.255.255.0 
pager lines 24
logging enable
logging asdm informational
mtu inside 1500
mtu outside 1500
failover
failover lan unit primary
failover lan interface FAILOVER Vlan3
failover key *****
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2

icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
access-group inside_access_in in interface inside
access-group outside_access_in in interface outside
!
route-map Route_Out permit 1
 match ip address inside_access_in outside_access_in
 match interface inside
!
route outside 0.0.0.0 0.0.0.0 MPLS_Router 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.1.0 255.255.255.0 inside
http 192.168.2.0 255.255.255.0 inside

http authentication-certificate inside
http authentication-certificate outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 192.168.2.0 255.255.255.0 inside
telnet 192.168.1.0 255.255.255.0 outside
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
!

threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
username admin password eY/fQXw7Ure8Qrz7 encrypted
!
!
prompt hostname context 
no call-home reporting anonymous

              
call-home
 profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly
  subscribe-to-alert-group configuration periodic monthly
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:1a8e46a787aa78502ffd881ab62d1c31
: end

3 REPLIES
VIP Green

When you power on the primary

When you power on the primary does the secondary also remain as Active or does it switch to standby?

From primary, after power on, are you able to ping the internet? 4.2.2.2 for example?

Your configuration looks fine. This might be a bug.  Have you considered upgrading the ASA version?

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Thank you for your quick

Thank you for your quick response.

When we power on primary unit, secondary unit moving to standby. 

We cannot ping to our internet router. The strange things which we noticed that we can ping to 192.168.3.9(Standby ASA), we cannot ping to 192.168.3.8(Primary ASA) when primary ASA power on and become active.

VIP Green

I suggest removing the

I suggest removing the failover configuration on both units and then re-add them, and then test.

Primary

failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit primary
failover key KEY
failover
 

Secondary

failover lan interface FAILOVER Vlan3
failover interface ip FAILOVER 10.1.1.1 255.255.255.0 standby 10.1.1.2
failover lan unit secondary
failover key KEY
failover

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
199
Views
0
Helpful
3
Replies