Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
777
Views
0
Helpful
5
Replies

Secondary firewall not pulling the configuration (failover) from primary

Go to solution
kunal-united
Level 1
Level 1

‎11-13-2011 09:12 AM - edited ‎03-11-2019 02:49 PM

Hi,

10.10.194.254 is interface ip on nameif apps and standby configure don this router is 10.10.194.253.

But secondary firewall is not pulling the config from primary firewall and it is taking the ip 10.10.194.250 instead of 10.10.194.253.

can ping both failover interface ip's.

firewallB#

interface GigabitEthernet0/1

description APPS

speed 1000

duplex full

nameif apps

security-level 95

ip address 10.10.194.250 255.255.255.0 standby 10.10.194.251

firewall-A

firewall-A#   sh ip | incl FAILOVER

GigabitEthernet0/3       FAILOVER               10.10.30.1      255.255.255.252 unset

GigabitEthernet0/3       FAILOVER               10.10.30.1      255.255.255.252 unset

firewall-B# sh ip | incl FAILOVER

GigabitEthernet0/3       FAILOVER               10.10.30.1      255.255.255.252 unset

GigabitEthernet0/3       FAILOVER               10.10.30.2      255.255.255.252 unset

firewall-A# PING 10.10.30.2

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.30.2, timeout is 2 seconds:

!!!!!

FIREWALLA# sh failover state

               State          Last Failure Reason      Date/Time

This host  -   Secondary

               Standby Ready  Ifc Failure              04:41:41 EST Nov 13 2011

                              management: Failed

Other host -   Primary

               Active         Comm Failure             20:58:19 EST Oct 28 2011

====Configuration State===

        Sync Done - STANDBY

====Communication State===

        Mac set

FIREWALLA#  show failover interface

        interface FAILOVER GigabitEthernet0/3

                System IP Address: 10.10.30.1 255.255.255.252

                My IP Address    : 10.10.30.2

                Other IP Address : 10.10.30.1

firewallA#  show failover statistic

        tx:2461308

        rx:5093552

CFWINT1A#  show failover statistic

        tx:2461313

        rx:5093567

firewallA# sh failover

Failover On

Failover unit Secondary

Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)

Unit Poll frequency 1 seconds, holdtime 15 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 3 of 250 maximum

Version: Ours 8.2(1), Mate 8.2(1)

Last Failover at: 20:58:04 EST Oct 28 2011

        This host: Secondary - Standby Ready

                Active time: 38 (sec)

                slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface dmz (192.168.167.249): Normal (Waiting)

                  Interface apps (10.10.194.251): Normal (Waiting)

                  Interface fcn (207.194.137.227): Normal (Not-Monitored)

                  Interface dcn (204.50.68.253): Normal (Not-Monitored)

                  Interface management (10.20.197.14): Normal

                slot 1: empty

        Other host: Primary - Active

                Active time: 1348715 (sec)

                slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)

                  Interface dmz (192.168.167.248): Normal (Waiting)

                  Interface apps (10.10.194.250): Normal (Waiting)

                  Interface fcn (207.194.137.218): Normal (Not-Monitored)

                  Interface dcn (204.50.68.254): Normal (Not-Monitored)

                  Interface management (10.20.197.13): Normal

                slot 1: empty

Stateful Failover Logical Update Statistics

        Link : FAILOVER GigabitEthernet0/3 (up)

        Stateful Obj    xmit       xerr       rcv        rerr

        General         169060     0          5227919    2029415

        sys cmd         169060     0          169060     0

        up time         0          0          0          0

        RPC services    0          0          0          0

        TCP conn        0          0          620125     309349

        UDP conn        0          0          2018108    1719440

        ARP tbl         0          0          2420626    626

        Xlate_Timeout   0          0          0          0

        VPN IKE upd     0          0          0          0

        VPN IPSEC upd   0          0          0          0

        VPN CTCP upd    0          0          0          0

        VPN SDI upd     0          0          0          0

        VPN DHCP upd    0          0          0          0

        SIP Session     0          0          0          0

        Logical Update Queue Information

                        Cur     Max     Total

        Recv Q:         0       6       6496542

        Xmit Q:         0       1       169060

interface GigabitEthernet0/0

description DMZ - CSWDMZ1A-2/0/10

speed 1000

duplex full

nameif dmz

security-level 50

ip address 192.168.167.254 255.255.255.0 standby 192.168.167.253

!

interface GigabitEthernet0/1

description APPS -

speed 1000

duplex full

nameif apps

security-level 95

ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253

!

!

interface GigabitEthernet0/3

description LAN/STATE Failover Interface

speed 1000

duplex full

!

interface Management0/0

nameif management

security-level 100

ip address 10.20.197.13 255.255.255.0 standby 10.20.197.14

management-only

Am I missing something?

Please help.

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to kunal-united

‎11-13-2011 06:18 PM

Hello Kunai,

On the secondary you have configured different the interface gb 0/1 from the Primary, please change that on the one that iincorrect, because on the primary you are let him know that if something happens (failover) use 10.10.194.253 as the standby ip address BUT on the stand-by unit you have configured the ip to 10.10.194.251.

So change that and everything will work.

Please rate helpful comments,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to kunal-united

‎11-13-2011 10:42 PM

Hi Kunal,

Whenever you are configuring failover, you just need these 6-7 commands on the secondary:

ASA(config)#failover lan unit secondary
ASA(config)#failover lan interface FAILOVER Gigabitethernet0/3
ASA(config)#failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
ASA(config)#interface GigabitEthernet0/3
ASA(config-if)#no shut 
ASA(config-if)#exit

ASA(config)# failover

Remember the order of these commands is very important, it shoudl be in the same order as above.
Failover command should be used at the end.

You need not configure any other command on the secondary ASA, only these, the moment you enter
"failover", the two firewalls would starting syncing up.

Do not configure anything else on secondary firewall.

Hope that helps.

Thanks,
Varun

Thanks,
Varun Rao

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎11-13-2011 11:27 AM

Hello Kunal,

Can you post the running-config of both devices in order to take a deeper look into this issue, also which device has this ip address: 10.10.194.250.

Just to let you know if this interfaces belong to the Stand by device the config is incorrect because both devices got to be configured on the same way and as you wrote on the post the secondary device should get the ip address of

10.10.194.253 when failover occurs so I think that is the problem

interface GigabitEthernet0/0

ip address 192.168.167.253 255.255.255.0 standby 192.168.167.254

Let me know if this makes a difference,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
kunal-united
Level 1
Level 1
In response to Julio Carvajal

‎11-13-2011 05:33 PM

Primary- firewall-config

interface GigabitEthernet0/1

description APPS -

speed 1000

duplex full

nameif apps

security-level 95

ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253

failover

failover lan unit primaryfailover lan interface FAILOVER GigabitEthernet0/3

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2

secondary firewall-config

interface GigabitEthernet0/1

description

speed 1000

duplex full

nameif apps

security-level 95

ip address 10.10.194.250 255.255.255.0 standby 10.10.194.251 <<<<<<<<<<<<<<<<<<<<<

failover

failover lan unit secondary

failover lan interface FAILOVER GigabitEthernet0/3

failover link FAILOVER GigabitEthernet0/3

failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to kunal-united

‎11-13-2011 06:18 PM

Hello Kunai,

On the secondary you have configured different the interface gb 0/1 from the Primary, please change that on the one that iincorrect, because on the primary you are let him know that if something happens (failover) use 10.10.194.253 as the standby ip address BUT on the stand-by unit you have configured the ip to 10.10.194.251.

So change that and everything will work.

Please rate helpful comments,

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
kunal-united
Level 1
Level 1
In response to Julio Carvajal

‎11-13-2011 07:14 PM

But question here is if I configured the primary as below. The secondary should get the configuration automatically right?

Primary router

interface GigabitEthernet0/1

description APPS -

speed 1000

duplex full

nameif apps

security-level 95

ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253

so secondary should get the ip 10.10.194.253 ..why is it getting 10.10.194.250?

Thanks

0 Helpful

Go to solution
varrao
Level 10
Level 10
In response to kunal-united

‎11-13-2011 10:42 PM

Hi Kunal,

Whenever you are configuring failover, you just need these 6-7 commands on the secondary:

ASA(config)#failover lan unit secondary
ASA(config)#failover lan interface FAILOVER Gigabitethernet0/3
ASA(config)#failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
ASA(config)#interface GigabitEthernet0/3
ASA(config-if)#no shut 
ASA(config-if)#exit

ASA(config)# failover

Remember the order of these commands is very important, it shoudl be in the same order as above.
Failover command should be used at the end.

You need not configure any other command on the secondary ASA, only these, the moment you enter
"failover", the two firewalls would starting syncing up.

Do not configure anything else on secondary firewall.

Hope that helps.

Thanks,
Varun

Thanks,
Varun Rao
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card