Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

How to troubleshoot failover?

Hi all,

I was wondering how to troubleshoot if failover happens to one of our firewall. Let say we've received alerts from monitoring team. Normally what I'll do is to:

1. ping both firewall (primary & secondary) to make sure both of them are running.

2. try to access to both firewall

3. issue show failover command to check the status of the firewall

4. issue show version command to check uptime

5. issue show log command to check logs message

What else should we do in order to find the root cause of the problem? Why failover happened?

ping FW01

FW01 is alive

ping FW01-failover

no answer from FW01-failover

FW01 up 1 hours 37 mins

FW01# sh fail

Failover On

Cable status: Other side powered off

Reconnect timeout 0:00:00

Poll frequency 15 seconds

Last Failover at: 13:37:00 UTC Fri Jun 17 2010

       This host: Primary - Active

               Active time: 28005 (sec)

               Interface outside (10.10.10.100): Normal (Waiting)

               Interface inside (11.11.11.100): Normal (Waiting)

              Interface failover (1.1.1.100): Link Down (Waiting)

               Interface vpn (7.7.7.100): Normal (Waiting)

               Interface intf4 (0.0.0.0): Link Down (Shutdown)

               Interface intf5 (0.0.0.0): Link Down (Shutdown)

       Other host: Secondary - Standby

               Active time: 0 (sec)

               Interface outside (10.10.10.99): Unknown (Waiting)

               Interface inside (11.11.11.99): Unknown (Waiting)

               Interface failover (1.1.1.99): Unknown (Waiting)

               Interface vpn (7.7.7.99): Unknown (Waiting)

               Interface intf4 (0.0.0.0): Unknown (Shutdown)

               Interface intf5 (0.0.0.0): Unknown (Shutdown)

From what I've checked on this article, (http://www.ciscoarticles.com/CCSP-Cisco-Certified-Security-Professional/Failover-Configuration-with-Failover-Cable.html)

Link Down means Interface line protocol is down

Unknown means IP address isn’t configured for the interface, so  it can’t  determine the status

Waiting means Monitoring the other unit’s network interface  hasn’t started  yet

Here is the log message..  

FW01# sh log

Syslog logging: enabled

    Facility: 20

    Timestamp logging: enabled

    Standby logging: disabled

    Console logging: disabled

    Monitor logging: disabled

    Buffer logging: level notifications, 25 messages logged

    Trap logging: level informational, 9162 messages logged

        Logging to inside 6.6.6.6

    History logging: level notifications, 25 messages logged

    Device ID: disabled

105002: (PIX) Enabling failover.

411001: Line protocol on Interface outside, changed state to up

411001: Line protocol on Interface vpn, changed state to up

502101: New user added to local dbase: Uname: admin Priv: 15 Encpass: xxxxxxxxxxx.

104001: (Primary) Switching to ACTIVE - no power detected from mate.

105007: (Primary) Link status 'Down' on interface intf5

105007: (Primary) Link status 'Down' on interface intf4

105006: (Primary) Link status 'Up' on interface vpn

105007: (Primary) Link status 'Down' on interface failover

105007: (Primary) Link status 'Down' on interface inside

105006: (Primary) Link status 'Up' on interface outside

105003: (Primary) Monitoring on interface vpn waiting

105003: (Primary) Monitoring on interface outside waiting

411001: Line protocol on Interface inside, changed state to up

105006: (Primary) Link status 'Up' on interface inside

105003: (Primary) Monitoring on interface inside waiting

502103: User priv level changed: Uname: adam From: 1 To: 15

111008: User 'adam' executed the 'enable' command.

Everyone's tags (1)
1 REPLY
Cisco Employee

Re: How to troubleshoot failover?

You can also get the output of the following which provides more detailed information of the failover status:

- show failover state

- show failover history

Here is the detailed explaination for your reference:

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s3.html#wp1425818

It also includes what each link status means for your reference.

Hope it helps.

2502
Views
5
Helpful
1
Replies
CreatePlease to create content