I have a pair of ASA5520's configure for failover. The OS, interfaces, and configuration on both devices are identical apart from the IP addresses. There are 8 interfaces in each device, failover monitoring every interface and the criteria is that 1 interface failure would trigger the failover. when I test the failover this is what happens:-
1) If I fail the switch that the ASA connects to, failover does not occur.
2) If I power off the primary ASA the the secondary unit becomes active.
3) If both firewalls are on and I force the secondary unit to failover active, both primary and secondary stay active.
am I missing something obvious? - would anyone be able to help me to resolve this issue please.
How are your ASA's connected for fail over (ie LAN based/cable based)? If they are LAN based, are you using a cross-over cable between the two or do they go through a switch?
they are LAN based, connected through a switch - all the interfaces are connected to various vlans configured on switches - I can ping the ip address on the failover interface
yes they are redundant as well - a pair of 4500's 10G link between them.
sh failover on primary and standby firewalls looks good
yes that's correct - the only way that failover seems to work is if I power off the primary unit. The secondary then becaomes active.
I figured that, but just thought I would ask. When you fail one of the switches, can you ping between the ASA's on the failover interface?
ping 192.168.52.1 to 192.168.52.2 and visa-versa?
apologies Collin - I didn't read your reply properly - it's the 192.168.54 failover addresses that I can ping - I cannot ping any of the monitored interface addresses - thes are in a live environment, so I am limited with regard to testing until out of customer working hours.
when the ASA's are both up, I can ping 192.168.54.1 from 192.168.54.2 and visa versa....when they are failed over I can't ping.