Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Failover of ASA when interfaces are in waiting state

Hello Everyone,

I have redundant firewalls on a multicontext active/standby setup. There are only 3 interfaces (inside, dmz, outside) configured using subinterfaces for all contexts. I am getting waiting state on the interfaces when I do "sh failover". Unfortunately at this moment I cannot provide a config of the "sh failover" since I am having access problem due to changeover to TACACS. I will do so in a very short while.

I need to know if it is possible to do forceful failover when the interfaces are in active state. Currently the active firewall is "ACTIVE" and the secondary firewall is "STANDBY READY".

You can see my last post on the same issue - https://supportforums.cisco.com/message/3171035#3171035.

Thanks

3 REPLIES
Cisco Employee

Re: Failover of ASA when interfaces are in waiting state

Do you have standby IP addresses assigned to your interfaces?  This could be a possible reason why your interfaces are in waiting state:

Normal (Waiting)

The interface is up but has not yet received a hello packet from the  corresponding interface on the peer unit. Verify that a standby IP  address has been configured for the interface and that there is  connectivity between the two interfaces.

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s3.html#wp1425186

Also, since you are using subintefaces, did you specify those subinterfaces to be monitored by failover?  By default physical interfaces are monitored, while subinterfaces are not:

By default, monitoring of physical interfaces is enabled and the monitoring of subinterfaces is disabled.  You can enable monitoring for subinterfaces with the command "monitor-interface ":

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/failover.html#wp1073911

New Member

Re: Failover of ASA when interfaces are in waiting state

Hi Allen,

In every context I am monitoring the interfaces. The interfaces are being monitored like this

admin context

===========

interface outsideshared
nameif outside
security-level 55
ip address 15.10.12.1 255.255.255.0 standby 15.10.12.2
!
interface dmzadmincontext
nameif dmz
security-level 60
ip address 16.10.12.1 255.255.255.0 standby 16.10.12.2
!
interface insideadmincontext
nameif inside
security-level 100
ip address 17.10.12.1 255.255.255.0 standby 17.10.12.2
!

monitor-interface outside
monitor-interface dmz
monitor-interface inside

customer A context

===============

interface outside
  nameif outside
security-level 0
ip address 192.168.11.2 255.255.255.0 standby 192.168.11.3
!
interface inside
nameif inside
security-level 98
ip address 192.168.12.2 255.255.255.0 standby 192.168.12.3
!

monitor-interface outside
monitor-interface inside

All these interfaces are subinterfaces defined as vlans in the system context. These are configs which I have on my machine (address changes)

Thanks

Cisco Employee

Re: Failover of ASA when interfaces are in waiting state

As long as your failover is working fine active/standby you can do the failover. For the interfaces in waiting state you need to check connectivity as it cannot check the standby ip.

- AD

2315
Views
0
Helpful
3
Replies
CreatePlease to create content