Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

stateful Failover not functioning correctly

I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-

1) If I fail the switch that the ASA connects to, failover does not occur.

2) If I power off the primary ASA the the secondary unit becomes active.

3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.

am I missing something obvious? - would anyone be able to help me to resolve this issue please.

many thanks

Keith

16 REPLIES

Re: stateful Failover not functioning correctly

Keith-

How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?

New Member

Re: stateful Failover not functioning correctly

they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface

Re: stateful Failover not functioning correctly

A single switch or are they redundant as well?

New Member

Re: stateful Failover not functioning correctly

yes they are redundant as well - a pair of 4500's 10G link between them.

sh failover on primary and standby firewalls looks good

Re: stateful Failover not functioning correctly

When you fail a switch, you can fail either one of the 4500's and the ASA's do not fail over properly correct?

New Member

Re: stateful Failover not functioning correctly

yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.

Re: stateful Failover not functioning correctly

Could you post the following?

show failover

show failover interface

show interface [of the failover interfaces]

New Member

Re: stateful Failover not functioning correctly

posted show failover

Re: stateful Failover not functioning correctly

Everything looks good there. The 192.168.54.0 /30 network is not in the routing table of the 4500's right?

New Member

Re: stateful Failover not functioning correctly

no, they are configured on a separate vlan just for the failover interfaces.

Re: stateful Failover not functioning correctly

I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?

ping 192.168.52.1 to 192.168.52.2 and visa-versa?

New Member

Re: stateful Failover not functioning correctly

yes

Re: stateful Failover not functioning correctly

You shouldn't be able to. Is this in a lab? If so how about running an ICMP debug?

New Member

Re: stateful Failover not functioning correctly

apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.

New Member

Re: stateful Failover not functioning correctly

Collin -

when the ASA's are both up, I can ping 192.168.54.1 from 192.168.54.2 and visa versa....when they are failed over I can't ping.

Re: stateful Failover not functioning correctly

A single switch or are they redundant as well?

202
Views
0
Helpful
16
Replies