cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5648
Views
0
Helpful
7
Replies

Failover state on ASA

huwyhuwy123
Level 1
Level 1

hi there,

We have 2 ASA 5505s in a data centre at a remote site.

Whilst troubleshooting another issue I noticed the below. I don't know much about failover but this would suggest that the secondary ASA is active and the primary ASA is on standby. Can someone confirm this is the case?

if the primary is "active" then how come the secondary is the active ASA? I would have thought that once the primary ASA became active this would assume the "main" role"

Hope this makes sense! Thanks for any help,

Al

------------------------------------------------------------------------------------------------

BLU-COLO# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Active         None

Other host -   Primary

               Standby Ready  Ifc Failure              19:10:39 UTC Jun 23 2011

                              outside: Failed

====Configuration State===

        Sync Done

        Sync Done - STANDBY

====Communication State===

        Mac set

7 Replies 7

anksachd
Level 1
Level 1

Hi,

The output pasted by you states that Secondary is currently the Active unit .Can you paste the output of show failover and show failover state from the Primary unit as well . As per the output of "show failover state" from the secondary , it is clear that the outside interface of the Primary  has failed and that is the reason for the failover which made the secondary to take the "Active " role . Can you please dig into it and find if the outside interface of the primary is up and also if it is pingable / reachable from the standby unit .

             Standby Ready  Ifc Failure              19:10:39 UTC Jun 23 2011

                              outside: Failed

Regards

Ankur

Thanks for coming back.

I can confirm that the primary can ping 8.8.8.8 and the secondary.

Should the primary automatically become the active unit?

This is the output from the primary...

BLU-COLO# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Standby Ready  Ifc Failure              19:15:06 UTC Jun 23 2011

                              outside: Failed

Other host -   Secondary

               Active         None

Cheers again,

Al

Hi

Can the Secondary Outside IP ping the Primary Outside IP ?  Also the output clearly says that the failover happened as outside interface of the primary failed .Currently Secondary is the Active unit , you need to rectify the issue with the outside interface of the Primary (Check cables , upstream switchport should be correctly connected to outside i/f , ensure the outside interface has line protocol up and administratively up as well ,  and should be in the same VLAN as of the secondary outside i/f )

This host  -   Primary

               Standby Ready  Ifc Failure              19:15:06 UTC Jun 23 2011

                              outside: Failed

Regards,

Ankur

I can confirm that both ASA's can ping each others Outside IP.

Should the primary ASA automatically make itself the primary after failover? or do I need to manually do something?

Cheers again,

Al

eddie.harmoush
Level 1
Level 1

A quick recap of terminology:

Primary/Secondary - these terms solely exist to differentiate the naming between two Failover Firewalls.  These terms do NOT indicate which host is currently passing traffic or not.

Active/Standby - these terms indicate which ASA is currently passing traffic.

Currently, given the output you provided the SECONDARY firewall is currently ACTIVE, and the PRIMARY firewall is currently STANDBY:

Secondary FW

BLU-COLO# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Active         None

Other host -   Primary

               Standby Ready  Ifc Failure              19:10:39 UTC Jun 23 2011

                              outside: Failed

Primary FW:

BLU-COLO# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Primary

               Standby Ready  Ifc Failure              19:15:06 UTC Jun 23 2011

                              outside: Failed

Other host -   Secondary

               Active         None

The Firewall is telling you that the failover reason was [Ifc Failure Outside: Failed].  But notice the state of the Primary is Standby Ready.  This is telling you that the Primary firewall is ready to take over as Active again, should the current Active (the secondary) fail.  ASAs will not force a failover if it doesn't have to.  As far as the ASAs are concerned, they don't care whether the Primary is Active or the Secondary is Active.

Your interface failed, then came back up (returning the state of the Standby to "Standby Ready").  The state would have been different if the outside interface was still down.  To proove it, you can jump on your Standby ASA (Primary) and shutdown the outside interface.  Then go back to your Active ASA and run the command show failover state and you will see the state of the "Other host" will be something other than Standby Ready.


Thanks a lot guys. I now understand!

Glad to help.  Also, I forgot to mention, you can configure your ASA so the prompt indicates whether the Firewall you are logged into is Primary/Secondary (priority) or Active/Standby (state).  Simply add the following to your config:

prompt hostname priority state


It makes it much easier to administer, in my opinion.  Just a suggestion.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: