11-13-2011 09:12 AM - edited 03-11-2019 02:49 PM
Hi,
10.10.194.254 is interface ip on nameif apps and standby configure don this router is 10.10.194.253.
But secondary firewall is not pulling the config from primary firewall and it is taking the ip 10.10.194.250 instead of 10.10.194.253.
can ping both failover interface ip's.
firewallB#
interface GigabitEthernet0/1
description APPS
speed 1000
duplex full
nameif apps
security-level 95
ip address 10.10.194.250 255.255.255.0 standby 10.10.194.251
firewall-A
firewall-A# sh ip | incl FAILOVER
GigabitEthernet0/3 FAILOVER 10.10.30.1 255.255.255.252 unset
GigabitEthernet0/3 FAILOVER 10.10.30.1 255.255.255.252 unset
firewall-B# sh ip | incl FAILOVER
GigabitEthernet0/3 FAILOVER 10.10.30.1 255.255.255.252 unset
GigabitEthernet0/3 FAILOVER 10.10.30.2 255.255.255.252 unset
firewall-A# PING 10.10.30.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.10.30.2, timeout is 2 seconds:
!!!!!
FIREWALLA# sh failover state
State Last Failure Reason Date/Time
This host - Secondary
Standby Ready Ifc Failure 04:41:41 EST Nov 13 2011
management: Failed
Other host - Primary
Active Comm Failure 20:58:19 EST Oct 28 2011
====Configuration State===
Sync Done - STANDBY
====Communication State===
Mac set
FIREWALLA# show failover interface
interface FAILOVER GigabitEthernet0/3
System IP Address: 10.10.30.1 255.255.255.252
My IP Address : 10.10.30.2
Other IP Address : 10.10.30.1
firewallA# show failover statistic
tx:2461308
rx:5093552
CFWINT1A# show failover statistic
tx:2461313
rx:5093567
firewallA# sh failover
Failover On
Failover unit Secondary
Failover LAN Interface: FAILOVER GigabitEthernet0/3 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 3 of 250 maximum
Version: Ours 8.2(1), Mate 8.2(1)
Last Failover at: 20:58:04 EST Oct 28 2011
This host: Secondary - Standby Ready
Active time: 38 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface dmz (192.168.167.249): Normal (Waiting)
Interface apps (10.10.194.251): Normal (Waiting)
Interface fcn (207.194.137.227): Normal (Not-Monitored)
Interface dcn (204.50.68.253): Normal (Not-Monitored)
Interface management (10.20.197.14): Normal
slot 1: empty
Other host: Primary - Active
Active time: 1348715 (sec)
slot 0: ASA5540 hw/sw rev (2.0/8.2(1)) status (Up Sys)
Interface dmz (192.168.167.248): Normal (Waiting)
Interface apps (10.10.194.250): Normal (Waiting)
Interface fcn (207.194.137.218): Normal (Not-Monitored)
Interface dcn (204.50.68.254): Normal (Not-Monitored)
Interface management (10.20.197.13): Normal
slot 1: empty
Stateful Failover Logical Update Statistics
Link : FAILOVER GigabitEthernet0/3 (up)
Stateful Obj xmit xerr rcv rerr
General 169060 0 5227919 2029415
sys cmd 169060 0 169060 0
up time 0 0 0 0
RPC services 0 0 0 0
TCP conn 0 0 620125 309349
UDP conn 0 0 2018108 1719440
ARP tbl 0 0 2420626 626
Xlate_Timeout 0 0 0 0
VPN IKE upd 0 0 0 0
VPN IPSEC upd 0 0 0 0
VPN CTCP upd 0 0 0 0
VPN SDI upd 0 0 0 0
VPN DHCP upd 0 0 0 0
SIP Session 0 0 0 0
Logical Update Queue Information
Cur Max Total
Recv Q: 0 6 6496542
Xmit Q: 0 1 169060
interface GigabitEthernet0/0
description DMZ - CSWDMZ1A-2/0/10
speed 1000
duplex full
nameif dmz
security-level 50
ip address 192.168.167.254 255.255.255.0 standby 192.168.167.253
!
interface GigabitEthernet0/1
description APPS -
speed 1000
duplex full
nameif apps
security-level 95
ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253
!
!
interface GigabitEthernet0/3
description LAN/STATE Failover Interface
speed 1000
duplex full
!
interface Management0/0
nameif management
security-level 100
ip address 10.20.197.13 255.255.255.0 standby 10.20.197.14
management-only
Am I missing something?
Please help.
Solved! Go to Solution.
11-13-2011 06:18 PM
Hello Kunai,
On the secondary you have configured different the interface gb 0/1 from the Primary, please change that on the one that iincorrect, because on the primary you are let him know that if something happens (failover) use 10.10.194.253 as the standby ip address BUT on the stand-by unit you have configured the ip to 10.10.194.251.
So change that and everything will work.
Please rate helpful comments,
Regards,
Julio
11-13-2011 10:42 PM
Hi Kunal,
Whenever you are configuring failover, you just need these 6-7 commands on the secondary:
ASA(config)#failover lan unit secondary
ASA(config)#failover lan interface FAILOVER Gigabitethernet0/3
ASA(config)#failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
ASA(config)#interface GigabitEthernet0/3
ASA(config-if)#no shut
ASA(config-if)#exit
ASA(config)# failover
Remember the order of these commands is very important, it shoudl be in the same order as above.
Failover command should be used at the end.
You need not configure any other command on the secondary ASA, only these, the moment you enter
"failover", the two firewalls would starting syncing up.
Do not configure anything else on secondary firewall.
Hope that helps.
Thanks,
Varun
11-13-2011 11:27 AM
Hello Kunal,
Can you post the running-config of both devices in order to take a deeper look into this issue, also which device has this ip address: 10.10.194.250.
Just to let you know if this interfaces belong to the Stand by device the config is incorrect because both devices got to be configured on the same way and as you wrote on the post the secondary device should get the ip address of
10.10.194.253 when failover occurs so I think that is the problem
interface GigabitEthernet0/0
ip address 192.168.167.253 255.255.255.0 standby 192.168.167.254
Let me know if this makes a difference,
Regards,
Julio
11-13-2011 05:33 PM
Primary- firewall-config
interface GigabitEthernet0/1
description APPS -
speed 1000
duplex full
nameif apps
security-level 95
ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253
failover
failover lan unit primaryfailover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
secondary firewall-config
interface GigabitEthernet0/1
description
speed 1000
duplex full
nameif apps
security-level 95
ip address 10.10.194.250 255.255.255.0 standby 10.10.194.251 <<<<<<<<<<<<<<<<<<<<<
failover
failover lan unit secondary
failover lan interface FAILOVER GigabitEthernet0/3
failover link FAILOVER GigabitEthernet0/3
failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
11-13-2011 06:18 PM
Hello Kunai,
On the secondary you have configured different the interface gb 0/1 from the Primary, please change that on the one that iincorrect, because on the primary you are let him know that if something happens (failover) use 10.10.194.253 as the standby ip address BUT on the stand-by unit you have configured the ip to 10.10.194.251.
So change that and everything will work.
Please rate helpful comments,
Regards,
Julio
11-13-2011 07:14 PM
But question here is if I configured the primary as below. The secondary should get the configuration automatically right?
Primary router
interface GigabitEthernet0/1
description APPS -
speed 1000
duplex full
nameif apps
security-level 95
ip address 10.10.194.254 255.255.255.0 standby 10.10.194.253
so secondary should get the ip 10.10.194.253 ..why is it getting 10.10.194.250?
Thanks
11-13-2011 10:42 PM
Hi Kunal,
Whenever you are configuring failover, you just need these 6-7 commands on the secondary:
ASA(config)#failover lan unit secondary
ASA(config)#failover lan interface FAILOVER Gigabitethernet0/3
ASA(config)#failover interface ip FAILOVER 10.10.30.1 255.255.255.252 standby 10.10.30.2
ASA(config)#interface GigabitEthernet0/3
ASA(config-if)#no shut
ASA(config-if)#exit
ASA(config)# failover
Remember the order of these commands is very important, it shoudl be in the same order as above.
Failover command should be used at the end.
You need not configure any other command on the secondary ASA, only these, the moment you enter
"failover", the two firewalls would starting syncing up.
Do not configure anything else on secondary firewall.
Hope that helps.
Thanks,
Varun
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide